assertEquals("D2guest", permissionHelper.encode("(deny){group}guest"));
        assertEquals("DRguest", permissionHelper.encode("(deny){role}guest"));

        assertEquals("(deny){user}guest", permissionHelper.decode("D1guest"));
        assertEquals("(deny){group}guest", permissionHelper.decode("D2guest"));
        assertEquals("(deny){role}guest", permissionHelper.decode("DRguest"));

        assertNotNull(ace.getSID());
    }

    @Test
    @DisplayName("Test decode with deny ACE")
    void testDecodeDenyACE() throws Exception {
        // Prepare test data - Deny ACE
        testBuffer = new byte[100];
        testBuffer[0] = 0x01; // Deny ACE (non-zero)
        testBuffer[1] = 0x10; // FLAGS_INHERITED
        testBuffer[2] = 0x24; // Size low byte (36)

    protected String userPrefix = "{user}";

    /** Prefix used to identify allow permissions */
    protected String allowPrefix = "(allow)";

    /** Prefix used to identify deny permissions */
    protected String denyPrefix = "(deny)";

    /** System helper for user/group/role search operations */
    @Resource
    protected SystemHelper systemHelper;

    /**
     * Default constructor for PermissionHelper.

    }

    @Test
    public void test_labelTypePattern_match_multilinePaths() {
        LabelTypePattern pattern = new LabelTypePattern("test", "/test.*\n/another.*", "/exclude.*\n/deny.*");

        // Should match first included path
        assertTrue(pattern.match("/test/path"));

        // Should match second included path
        assertTrue(pattern.match("/another/path"));

            test.jvmArgs(
                "-Xmx" + System.getProperty("tests.heap.size", "512m"),
                "-Xms" + System.getProperty("tests.heap.size", "512m"),
                "--illegal-access=deny",
                // TODO: only open these for mockito when it is modularized
                "--add-opens=java.base/java.security.cert=ALL-UNNAMED",
                "--add-opens=java.base/java.nio.channels=ALL-UNNAMED",

			// the policy engine matches all Deny statements first, without regard to Resources (for KMS).
			// This is for backwards compatibility where historically KMS statements ignored Resources.
			policy: `{
						"Effect": "Allow",
						"Action": ["kms:ListKeys"]
					},{
						"Effect": "Deny",
						"Action": ["kms:ListKeys"],
						"Resource": ["arn:minio:kms:::default-test-key"]

					errors.New("service accounts cannot be generated for temporary credentials without parent")), r.URL)
				return
			}
			targetUser = requestorParentUser
		}
		targetGroups = requestorGroups

		// Deny if the target user is not LDAP
		foundResult, err := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(targetUser)
		if err != nil {
			writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
			return
		}

      throw death;
    } catch (Throwable t) {
      /*
       * This is not one of AppEngine's allowed classes, so even in Sun JDKs, this can fail with
       * a NoClassDefFoundError. Other apps might deny access to sun.misc packages.
       */
      return null;
    }
  }

  /**
   * Returns the Method that can be used to resolve an individual StackTraceElement, or null if that

    public static final int SE_GROUP_ENABLED = 4;
    /** Security group attribute: Group can be assigned as owner of objects */
    public static final int SE_GROUP_OWNER = 8;
    /** Security group attribute: Group is used for deny-only checks */
    public static final int SE_GROUP_USE_FOR_DENY_ONLY = 16;
    /** Security group attribute: Domain-local group */
    public static final int SE_GROUP_RESOURCE = 536870912;

    public static final int SE_GROUP_ENABLED = 4;
    /** Security group attribute: Group can be assigned as owner of objects */
    public static final int SE_GROUP_OWNER = 8;
    /** Security group attribute: Group is used for deny-only checks */
    public static final int SE_GROUP_USE_FOR_DENY_ONLY = 16;
    /** Security group attribute: Domain-local group */
    public static final int SE_GROUP_RESOURCE = 536870912;