Thanks for wildcard link. I did not implement '*', I'll finish it as well. Is it possible to have kind of regular expression like STOCKS.PRICE.NYSE.*BM ?
Regarding composite destinations, I would like your attention:
Union of ACLs means that if a user has privilege on at least one destination, all destinations will allow operation.
Intersection of ACLs means that if a user lacks privilege on at least one destination, no destination will allow operation.
I'll produce a test to verify this but my point is that current implementation of union is a security leak (if my understanding is correct). Suppose that a guest user wants to read from a destination not authorized for guests, say destination USERS.SECRET. A guest may create a destination in GUEST space with all necessary privileges, say GUEST.ALLOW. Now, the user creates a composite destination (GUEST.ALLOW, USERS.SECRET) and attempts an operation:
Case UNION: as operation is permitted on GUEST.ALLOW it is sufficient for composite destination; operation is performed on both destinations in spite of the fact that user is not authorized for the other.
Case INTERSECTION: as operation is NOT permitted on USERS.SECRET no operation is attempted on composite destination.
Now, maybe I got it wrong but the method 'getXXXXXACLs()' in DefaultAuthorizationMap is pretty clear - it adds all ACLs from all entries...