On my public instance there are some images that are not displayed. The images by it self will show a login screen and an Exception is thrown:

ERROR info.magnolia.module.cache.filter.CacheFilter     : A request started to cache but failed with an exception (AccessDeniedException: Access denied).

Some images are displayed though. It turns out that as soon an image is created by a non-anomymous user once, it will be displayed by anonymous users from then on.

The anonymous user has of course the appropriate rights (read/write to imaging):

Role: imaging-base
Read/Write permission in the workspace imaging with path /*

(No other rules on workspace imaging.)

I debugged it down to the AccessDeniedException that is thrown in SimpleAccessManager when the cache image is tried to be created.

org.apache.jackrabbit.core.security.simple.SimpleAccessManager

public void checkPermission(Path absPath, int permissions) throws AccessDeniedException, RepositoryException {
    if (!isGranted(absPath, permissions)) {
        throw new AccessDeniedException("Access denied");
    }
}

isGranted will end up here:

...
} else if (anonymous) {
    // anonymous is only granted READ permissions
    return permissions == Permission.READ;
}
...

(SimpleAccessManager.anoymous is true.)

So the ACL is obviously never considered.

Am I doing something wrong? Or is this a bug?

Tested in 4.5.3 and 4.5.5