It seems that the CugConfiguration may under some circumstances not properly pick up the CugExclude, which results in the CugConfiguration falling back to the default, that only excludes the AdminPrincipal, SystemPrincipal and SystemUserPrincipals from CUG evaluation.
In order to address the issue without disrupting the default setup, I would like to propose the following changes:
- CugConfiguration: Change reference cardinality of the the CugExclude from ReferenceCardinality.OPTIONAL_UNARY to ReferenceCardinality.MANDATORY_UNARY
- CugExcludeImpl: Don't require an explicit configuration (i.e. drop ConfigurationPolicy.REQUIRE). Since it extends from CugExclude.Default the default behavior in absense of a configured set of principal names will be equivalent to the intended default in CugConfiguration with the optional reference.