CLONE - PageMVCServlet should be using AggregationState or normalize URLs and be stricter when looking up which page to serve

Default roles have denies such as /.magnolia/pages/configuration*.
However, with the current implementation of info.magnolia.module.admininterface.PageMVCServlet, any user who has access to /.magnolia (but not this specific page, as is the case for the eric sample user), security can be bypassed by simply requesting /.magnolia/pages/FOO/BAR/configuration.html