I was debugging my AuthorizationProvider implementation and discovered this tiny mismatch in the AccessControlManagerImpl source code, line 117. The call to the default ACL is made passing the path string, instead of the username. It doesn't have impact presently, given the default ACL only has privileges for "everyone". It might have impact if the default ACL was configured somehow differently.