The Servlet is doing a RequestDispatch FORWARD to a JSP. We would like that JSP to be called via HTTPS (SSL).
We have the Constraint in web.xml below in place, but it still uses http://localhost::8080 when routing to the JSP
However, if you hit the JSP directly from the Browser it does switch the URL over to SSL.
Security constraints work only on the original request URI and not on calls made through a RequestDispatcher (which include <jsp:include> and <jsp:forward>). Inside the application, it is assumed that the application itself has complete access to all resources and would not forward a user request unless it had decided that the requesting user also had access.