It seems that everybody is delegating the checking of
transport-guarantee to somebody else, and as a result it is never checked.
Fortunately, this is easy to reproduce:
1) add a
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee
></user-data-constraint> to the security-constraint
2) Access the page via http://myserver/myapp/path/to/page
The page will happily be displayed even though the use of the http protocol
was dis-allowed.
