The idea is that if you want to access a secure page (a page over SSL), then your login has to have been over SSL as well.
Otherwise, how would we know to trust the authentication?
The solution should be, that if you're having some pages be over SSL, you should make sure that login is over SSL as well.
There's an acs-kernel parameter to do this.
If this is not working as advertised here, please file a bug.
/Lars
