It seems that everybody is delegating the checking of transport-guarantee to somebody else, and as a result it is never checked. Fortunately, this is easy to reproduce: 1) add a <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee ></user-data-constraint> to the security-constraint 2) Access the page via http://myserver/myapp/path/to/page The page will happily be displayed even though the use of the http protocol was dis-allowed.