and this breaks things because I need the URL to be
Actually I was surprised that JBoss even put "FrontEnd" in there. How did it know not to use "AppServer"? So I investigated (using JBoss' RequestDumperValve) and found that the content switch (FrontEnd) adds some headers, including the following ones that seem especially relevant:
So with that information I can see why JBoss is doing what it does. My question (finally!) is, can I somehow persuade JBoss to use HTTPS in the redirect under these conditions?
(I'm hoping for some simple configuration setting rather than writing a valve or modifying the content switch).