This might be a side-effect of the fix for
https://glassfish.dev.java.net/issues/show_bug.cgi?id=3374 (FORM authenticator should issue a redirect (instead of a request dispatch "forward") to the login page):
If the request that triggered FORM based authentication is over HTTPS, then the container issues a *RD.forward* to the login page. On the other hand, if the request that triggered FORM based authentication is over HTTP, then the container issues a *redirect* to the login page, so that if the login page is protected by a user-data-constraint with a transport-guarantee of "CONFIDENTIAL", the user-data-constraint will be honored, and the user credentials will be submitted over HTTPS.
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=357305