There is an inconsistency in how AuthorizationFilter and AuthorizationManagerWebInvocationPrivilegeEvaluator check if access should be granted. More specifically, AuthorizationFilter uses AuthorizationManager.check which will grant access if the AuthorizationManager abstains making a decision. However, AuthorizationManagerWebInvocationPrivilegeEvaluator will deny access if the AuthorizationManager abstains making a decision.
We should change AuthorizationManagerWebInvocationPrivilegeEvaluator to align with AuthorizationManager.check