the request comes from a trusted IP (Tomcat's RemoteIpValve)
ie, the HttpServletRequest.getScheme does not return https because the web server (ie Apache Tomcat) does not trust the source of the request, so the headers are ignored.
I'm not sure why that filter is even in the UAA. The code of the filter basically states
_Apache Tomcat doesn't trust the X-Forwarded-Proto header, so our code will do so instead and override the behavior_
So that code should not exist, as it indicates a workaround for a misconfigured system.
You need to configure your RemoteIpValve correctly, if you are using Apache Tomcat
