assertEquals("D2guest", permissionHelper.encode("(deny){group}guest"));
        assertEquals("DRguest", permissionHelper.encode("(deny){role}guest"));

        assertEquals("(deny){user}guest", permissionHelper.decode("D1guest"));
        assertEquals("(deny){group}guest", permissionHelper.decode("D2guest"));
        assertEquals("(deny){role}guest", permissionHelper.decode("DRguest"));

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

        assertNotNull(ace.getSID());
    }

    @Test
    @DisplayName("Test decode with deny ACE")
    void testDecodeDenyACE() throws Exception {
        // Prepare test data - Deny ACE
        testBuffer = new byte[100];
        testBuffer[0] = 0x01; // Deny ACE (non-zero)
        testBuffer[1] = 0x10; // FLAGS_INHERITED
        testBuffer[2] = 0x24; // Size low byte (36)

    protected String userPrefix = "{user}";

    /** Prefix used to identify allow permissions */
    protected String allowPrefix = "(allow)";

    /** Prefix used to identify deny permissions */
    protected String denyPrefix = "(deny)";

    /** System helper for user/group/role search operations */
    @Resource
    protected SystemHelper systemHelper;

    /**
     * Default constructor for PermissionHelper.

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

        assertTrue(pattern.match("/test/path"));
    }

    public void test_labelTypePattern_match_multilinePaths() {
        LabelTypePattern pattern = new LabelTypePattern("test", "/test.*\n/another.*", "/exclude.*\n/deny.*");

        // Should match first included path
        assertTrue(pattern.match("/test/path"));

        // Should match second included path
        assertTrue(pattern.match("/another/path"));

      throw death;
    } catch (Throwable t) {
      /*
       * This is not one of AppEngine's allowed classes, so even in Sun JDKs, this can fail with
       * a NoClassDefFoundError. Other apps might deny access to sun.misc packages.
       */
      return null;
    }
  }

  /**
   * Returns the Method that can be used to resolve an individual StackTraceElement, or null if that

    public static final int SE_GROUP_ENABLED = 4;
    /** Security group attribute: Group can be assigned as owner of objects */
    public static final int SE_GROUP_OWNER = 8;
    /** Security group attribute: Group is used for deny-only checks */
    public static final int SE_GROUP_USE_FOR_DENY_ONLY = 16;
    /** Security group attribute: Domain-local group */
    public static final int SE_GROUP_RESOURCE = 536870912;

    public static final int SE_GROUP_ENABLED = 4;
    /** Security group attribute: Group can be assigned as owner of objects */
    public static final int SE_GROUP_OWNER = 8;
    /** Security group attribute: Group is used for deny-only checks */
    public static final int SE_GROUP_USE_FOR_DENY_ONLY = 16;
    /** Security group attribute: Domain-local group */
    public static final int SE_GROUP_RESOURCE = 536870912;