When you try to automate your Glassfish administration duties with its REST API using POST or DELETE methods, and all you get is HTTP response 400 and zero content, you forgot to read this:
REST requests that add, update, or delete objects must specify the
X-Requested-Byheader with the value
GlassFish REST HTML interface.
It is intended to prevent CSRF attacks as noted in Jason’s Lee post.