Are the security checks not going to take place in /resources even if the connection is secure via https? (my vote is that it never check permissions even if it is a secure connection). Currently RP treats permissions on secure connections differently then insecure ones. i.e. the public could not see the graphics in my /graphics directory on the
https://site.com/register page without a hack to the ad_login_page proc (found in packages/acs-tcl/tcl/security-procs.tcl file), though they could see it when on straight http:// ... is there a reason why the request processor treats permissions differently if you are connected via https?