Looking at 1.5.7 (may also be the case in later versions)
IIUC, removing a User from the UserManager causes a NoSuchPrincipalException in the ACLTempate.init(...) line 113, which generates a deny on that node, regardless of the user accessing the node.
IMHO, there should be a try catch on the processing of each ACE to guard against this.
Removing all ACE's at the same time as removing a Principal is probably not practical as the PrincipalManager might (if replaced) lookup principals externally.
? Can provide a patch, if this is the right approach. Ian
