All the XML schemas can be found in $JBOSS_HOME/docs/schema.
Have you set the "transport-guarantee" in the web.xml for the application?
Hmm... perhaps I misunderstood. You only want to trigger the login when using https and NOT http. So who do you want to be logged in as when using http? Noone?
yes - 'transport-guarantee' has been set to CONFIDENTIAL
you are right - the trigger for login is only while accessed via https
Internal users are entitled to access the application via http port which will not be exposed outside. (this restriction in the port is yet to be implemented)