Can someone provide some background on the implementation of o.a.j.core.security.authorization.acl.ACLProvider?
For example, why is the entire path of nodes from root to leaf consulted when making authorization decisions? One could imagine an implementation that consults only the first non-empty ACL starting at the leaf and moving up towards the root. Additionally, why are the access control entries ordered by principal? At first I thought that ACE order mattered but now I'm not sure. In general, the logic behind buildResult() is a mystery. Any help would be appreciated.
