I have tried putting the following on my web.conf
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureResource</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But when I publish I get a "Too many redirects" on chrome.
I assume you are running Glassfish behind a load balancer on AWS, and SSL termination is happening at the load balancer.
You need to configure Glassfish to check the x-forwarded-proto header to determine if the client is connecting via HTTP or HTTPS. You can do this via the scheme-mapping parameter in your domain.xml file:
<http default-virtual-server="server"
max-connections="100"
scheme-mapping="X-Forwarded-Proto">
Alternatively, you can run this command on the server to set the scheme-mapping value:
asadmin set server.network-config.protocols.protocol.http-listener-1.http.scheme-mapping=X-Forwarded-Proto