When attempting to download a Bitstream with no read access, the XMLUI BitstreamReader class responds differently depending on whether there is an authenticated user: if there is one, it just reports "access denied", but if there is none it offers a login page.
The code in 1.5.2 does not correctly detect a logged-in user and thus always offers the login option, which is confusing.
To reproduce the problem, remove all read access policies from a Bitstream, and attempt to view it in XMLUI, while logged in and not. The problem is
.getSession().getAttribute("dspace.current.user.id") does not return the logged-in user.
Patches included fix the problem for Bitstream and similar code in ItemExportDownloadReader (though I couldn't test that).
The only other similar code is in dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceCocoonServletFilter.java, but I don't use SSL redirection (and it looks unlikely to work in any case since there is no place to specify non-standard SSL ports) so I did not attempt to fix that. See the code starting at line 236, around getSession().getAttribute("dspace.current.user.id").