Converter ignores access control content and users/groups in .content.xml files

kpauls, while trying to find more edge cases that could cause SLING-10754, i noticed that not only sibling nodes but also access control content (like e.g. rep:policy nodes) contained in a .content.xml get installed by Jackrabbit Filevault even if those nodes are not covered by the corresponding WorkspaceFilter.

It also seems that these package 'entries' are not spotted by the converter and thus the dedicated EntryHandler implementations that are intended to analyze and convert special content like e.g. access control (but probably not limited to that) are not triggered.

In other words: content hidden in .content.xml will not be properly converted but will be installed even if not covered by filter.xml associated with the content package. I don't know if that actually intended behavior of Jackrabbit FileVault (the documentation clearly stating that everything should be covered by filter rules [0], section 'Usage for Import/Installation'), but if it is correct it might in the worse case require the converter to parse all .content.xml files and delegate to the proper handler implementations.

kwin, I would appreciate your input on the FileVault related question of this ticket. In particular: is it correct and intended that subnodes defined in .content.xml get installed even if not covered by any filter rule?

[0] https://jackrabbit.apache.org/filevault/filter.html