Index: vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/testroot/secured/.content.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/testroot/secured/.content.xml	(revision )
+++ vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/testroot/secured/.content.xml	(revision )
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0" xmlns:rep="internal"
+    jcr:mixinTypes="[rep:AccessControllable]"
+    jcr:primaryType="nt:folder"/>
Index: vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/nodetypes.cnd
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/nodetypes.cnd	(revision )
+++ vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/nodetypes.cnd	(revision )
@@ -0,0 +1,8 @@
+<'sling'='http://sling.apache.org/jcr/sling/1.0'>
+<'nt'='http://www.jcp.org/jcr/nt/1.0'>
+
+[sling:Folder] > nt:folder
+  - * (undefined)
+  - * (undefined) multiple
+  + * (nt:base) = sling:Folder version
+
Index: vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/definition/.content.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/definition/.content.xml	(revision )
+++ vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/definition/.content.xml	(revision )
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:vlt="http://www.day.com/jcr/vault/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
+    jcr:created="{Date}2018-05-17T17:41:46.815+02:00"
+    jcr:createdBy="admin"
+    jcr:description="AC Handling: OverWrite"
+    jcr:lastModified="{Date}2018-05-17T17:41:46.815+02:00"
+    jcr:lastModifiedBy="admin"
+    jcr:primaryType="vlt:PackageDefinition"
+    acHandling="overwrite"
+    buildCount="1"
+    builtWith=""
+    fixedBugs=""
+    group="support"
+    lastUnwrapped="{Date}2018-05-17T17:41:46.815+02:00"
+    lastUnwrappedBy="admin"
+    lastWrapped="{Date}2018-05-17T17:41:46.815+02:00"
+    lastWrappedBy="admin"
+    name=""
+    providerLink=""
+    providerName=""
+    providerUrl=""
+    testedWith=""
+    version="">
+    <filter jcr:primaryType="nt:unstructured">
+        <f0
+            jcr:primaryType="nt:unstructured"
+            mode="replace"
+            root="/testroot/secured"
+            rules="[]"/>
+    </filter>
+    <screenshots jcr:primaryType="nt:unstructured"/>
+</jcr:root>
Index: vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/.content.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/.content.xml	(revision )
+++ vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/.content.xml	(revision )
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:mixinTypes="[rep:AccessControllable]"
+    jcr:primaryType="rep:root"
+    sling:resourceType="sling:redirect"
+    sling:target="/index.html">
+    <rep:policy/>
+    <jcr:system/>
+    <var/>
+    <libs/>
+    <etc/>
+    <apps/>
+    <content/>
+    <tmp/>
+    <home/>
+    <testroot/>
+</jcr:root>
Index: vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/properties.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/properties.xml	(revision )
+++ vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/properties.xml	(revision )
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<comment>FileVault Package Properties</comment>
+<entry key="createdBy">admin</entry>
+<entry key="name">mode_ac_test_a</entry>
+<entry key="lastModified">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="lastModifiedBy">admin</entry>
+<entry key="created">2011-11-15T09:43:22.993+01:00</entry>
+<entry key="buildCount">1</entry>
+<entry key="version"/>
+<entry key="dependencies"/>
+<entry key="packageFormatVersion">2</entry>
+<entry key="description"/>
+<entry key="lastWrapped">2011-11-15T09:43:22.972+01:00</entry>
+<entry key="group"/>
+<entry key="lastWrappedBy">admin</entry>
+<entry key="acHandling">overwrite</entry>
+</properties>
Index: vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter.java	(revision 1832534)
+++ vault-core/src/main/java/org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter.java	(revision )
@@ -134,16 +134,6 @@
         states.push(state);
     }
 
-    private static ACE addACE(Map<String, List<ACE>> map, ACE ace) {
-        List<ACE> list = map.get(ace.principalName);
-        if (list == null) {
-            list = new ArrayList<ACE>();
-            map.put(ace.principalName, list);
-        }
-        list.add(ace);
-        return ace;
-    }
-
     public void endNode() throws SAXException {
         State state = states.pop();
         importPolicy.endNode(state);
@@ -177,14 +167,11 @@
         abstract void apply(List<String> paths) throws RepositoryException;
 
         Principal getPrincipal(final String principalName) {
-            Principal principal = pMgr.getPrincipal(principalName);
-            if (principal == null) {
-                principal = new Principal() {
+            Principal principal = new Principal() {
-                    public String getName() {
-                        return principalName;
-                    }
-                };
+                public String getName() {
+                    return principalName;
+                }
+            };
-            }
             return principal;
         }
 
@@ -214,7 +201,7 @@
 
     private final class ImportedAcList extends ImportedPolicy<JackrabbitAccessControlList> {
 
-        private Map<String, List<ACE>> aceMap = new LinkedHashMap<String, List<ACE>>();
+        private List<ACE> aceList = new ArrayList<>();
         private ACE currentACE;
 
         private ImportedAcList() {
@@ -224,7 +211,8 @@
         State append(State state, DocViewNode childNode) {
             if (state == State.ACL) {
                 try {
-                    currentACE = addACE(aceMap, new ACE(childNode));
+                    currentACE = new ACE(childNode);
+                    aceList.add(currentACE);
                     return State.ACE;
                 } catch (IllegalArgumentException e) {
                     log.error("Error while reading access control content: {}", e);
@@ -272,9 +260,9 @@
         // clear all ACEs of the package principals for merge (VLT-94), otherwise the `acl.addEntry()` below
         // might just combine the privileges.
         if (aclHandling == AccessControlHandling.MERGE) {
-            for (String name: aceMap.keySet()) {
+            for (ACE entry : aceList) {
                 for (AccessControlEntry ace : acl.getAccessControlEntries()) {
-                    if (ace.getPrincipal().getName().equals(name)) {
+                    if (ace.getPrincipal().getName().equals(entry.principalName)) {
                         acl.removeAccessControlEntry(ace);
                     }
                 }
@@ -282,38 +270,36 @@
         }
 
             // apply ACEs of package
-            for (Map.Entry<String, List<ACE>> entry: aceMap.entrySet()) {
-                final String principalName = entry.getKey();
+            for (ACE ace : aceList) {
+                final String principalName = ace.principalName;
                 if (aclHandling == AccessControlHandling.MERGE_PRESERVE && existingPrincipals.contains(principalName)) {
                     // skip principal if it already has an ACL
                     continue;
                 }
                 Principal principal = getPrincipal(principalName);
 
-                for (ACE ace: entry.getValue()) {
-                    Privilege[] privileges = new Privilege[ace.privileges.length];
-                    for (int i = 0; i < privileges.length; i++) {
-                        privileges[i] = acMgr.privilegeFromName(ace.privileges[i]);
-                    }
-                    Map<String, Value> svRestrictions = new HashMap<String, Value>();
-                    Map<String, Value[]> mvRestrictions = new HashMap<String, Value[]>();
-                    for (String restName : acl.getRestrictionNames()) {
-                        DocViewProperty restriction = ace.restrictions.get(restName);
-                        if (restriction != null) {
-                            Value[] values = new Value[restriction.values.length];
-                            int type = acl.getRestrictionType(restName);
-                            for (int i=0; i<values.length; i++) {
-                                values[i] = valueFactory.createValue(restriction.values[i], type);
-                            }
-                            if (restriction.isMulti) {
-                                mvRestrictions.put(restName, values);
-                            } else {
-                                svRestrictions.put(restName, values[0]);
-                            }
-                        }
-                    }
-                    acl.addEntry(principal, privileges, ace.allow, svRestrictions, mvRestrictions);
+                Privilege[] privileges = new Privilege[ace.privileges.length];
+                for (int i = 0; i < privileges.length; i++) {
+                    privileges[i] = acMgr.privilegeFromName(ace.privileges[i]);
+                }
+                Map<String, Value> svRestrictions = new HashMap<String, Value>();
+                Map<String, Value[]> mvRestrictions = new HashMap<String, Value[]>();
+                for (String restName : acl.getRestrictionNames()) {
+                    DocViewProperty restriction = ace.restrictions.get(restName);
+                    if (restriction != null) {
+                        Value[] values = new Value[restriction.values.length];
+                        int type = acl.getRestrictionType(restName);
+                        for (int i=0; i<values.length; i++) {
+                            values[i] = valueFactory.createValue(restriction.values[i], type);
+                        }
+                        if (restriction.isMulti) {
+                            mvRestrictions.put(restName, values);
+                        } else {
+                            svRestrictions.put(restName, values[0]);
+                        }
+                    }
+                }
+                acl.addEntry(principal, privileges, ace.allow, svRestrictions, mvRestrictions);
-                }
             }
             acMgr.setPolicy(accessControlledPath, acl);
 
\ No newline at end of file
Index: vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/filter.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/filter.xml	(revision )
+++ vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/META-INF/vault/filter.xml	(revision )
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<workspaceFilter version="1.0">
+    <filter root="/testroot" mode="merge"/>
+</workspaceFilter>
Index: vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/testroot/secured/_rep_policy.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/testroot/secured/_rep_policy.xml	(revision )
+++ vault-core/src/test/resources/org/apache/jackrabbit/vault/packaging/integration/testpackages/ace_order_overwrite.zip/jcr_root/testroot/secured/_rep_policy.xml	(revision )
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:primaryType="rep:ACL">
+    <allow
+        jcr:primaryType="rep:GrantACE"
+        rep:principalName="everyone"
+        rep:privileges="{Name}[jcr:write]">
+        <rep:restrictions
+            jcr:primaryType="rep:Restrictions"
+            rep:glob="/foo"/>
+    </allow>
+    <deny1
+        jcr:primaryType="rep:DenyACE"
+        rep:principalName="testuser"
+        rep:privileges="{Name}[jcr:write]">
+        <rep:restrictions
+            jcr:primaryType="rep:Restrictions"
+            rep:glob="/foo"/>
+    </deny1>
+    <allow2
+        jcr:primaryType="rep:GrantACE"
+        rep:principalName="everyone"
+        rep:privileges="{Name}[jcr:write]">
+        <rep:restrictions
+            jcr:primaryType="rep:Restrictions"
+            rep:glob="/bar"/>
+    </allow2>
+</jcr:root>
Index: vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/TestAceOrder.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/TestAceOrder.java	(revision )
+++ vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/TestAceOrder.java	(revision )
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.vault.packaging.integration;
+
+import java.security.Principal;
+import java.util.List;
+import javax.annotation.Nonnull;
+import javax.jcr.Node;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Test if order of ACE is preserved upon import
+ */
+public class TestAceOrder extends IntegrationTestBase {
+
+    private final static String NAME_TEST_USER = "testuser";
+
+    private UserManager uMgr;
+    private AccessControlManager acMgr;
+
+    private List<AccessControlEntry> expectedEntries;
+
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+        uMgr = ((JackrabbitSession) admin).getUserManager();
+        User testuser = uMgr.createUser(NAME_TEST_USER, null);
+        admin.save();
+
+        acMgr = admin.getAccessControlManager();
+
+        Node tmp = admin.getRootNode().addNode("testroot").addNode("secured");
+        JackrabbitAccessControlList list = AccessControlUtils.getAccessControlList(acMgr, tmp.getPath());
+        Privilege[] writePrivilege = AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_WRITE);
+        ValueFactory vf = admin.getValueFactory();
+        Principal everyone = ((JackrabbitSession) admin).getPrincipalManager().getEveryone();
+        list.addEntry(everyone, writePrivilege, true, ImmutableMap.of("rep:glob", vf.createValue("/foo")));
+        list.addEntry(testuser.getPrincipal(), writePrivilege, false, ImmutableMap.of("rep:glob", vf.createValue("/foo")));
+        list.addEntry(everyone, writePrivilege, true, ImmutableMap.of("rep:glob", vf.createValue("/bar")));
+        acMgr.setPolicy(tmp.getPath(), list);
+
+        expectedEntries = ImmutableList.copyOf(list.getAccessControlEntries());
+
+        admin.refresh(false);
+    }
+
+    @Override
+    public void tearDown() throws Exception {
+        try {
+            if (admin.nodeExists("/testroot")) {
+                admin.getNode("/testroot").remove();
+                admin.save();
+            }
+            Authorizable testUser = uMgr.getAuthorizable(NAME_TEST_USER);
+            if (testUser != null) {
+                testUser.remove();
+                admin.save();
+            }
+        } finally {
+            super.tearDown();
+        }
+    }
+
+    private void assertACEs(@Nonnull String path) throws Exception {
+        JackrabbitAccessControlList list = AccessControlUtils.getAccessControlList(acMgr, path);
+        AccessControlEntry[] entries = list.getAccessControlEntries();
+
+        assertEquals(expectedEntries, ImmutableList.copyOf(entries));
+    }
+
+    @Test
+    public void testHandlingOverwrite() throws Exception {
+        assertNodeMissing("/testroot/secured");
+
+        extractVaultPackage("testpackages/ace_order_overwrite.zip");
+
+        // test if nodes and ACLs of first package exist
+        assertNodeExists("/testroot/secured");
+        assertACEs("/testroot/secured");
+    }
+}
\ No newline at end of file