I reviewed the patch, great to see that we are adding a test for this.
1) if attached patch3 supersedes patch 2 please remove 2.
2) could you add documentation for "fixupACL" method? there's quite a bit going on in that method and it's not really clear what the contract is.
3) line 409 (fixupacl method) logs error for "missing authenciation provider...", is this really an error? (no exception thrown as a result...) should we be notifying the client in this case (might help with client side debugging. Perhaps a new jira for this?
4) line 65 preprequestprocessor.java, could we log an INFO message here that states that acl checking is being skipped (might help w/debugging down the road).