For the github-oauth-plugin people want to use the existing GlobalMatrixAuthorizationStrategy and enable things like the github-webhook callback. Currently I have my own AuthorizationStrategy that supports these extra callback URL's but I want to be able to transparently support them without caring which specific AuthorizationStrategy is being used.

My solution is to add a new extension point into Jenkins that is invoked at the base ACL class that checks if any ACLPermissionOverride extensions want to grant the permission before the ACL checks its own authorization logic.

For the github-oauth-plugin it means that I can add in these extra URL's allow options into my SecurityRealm and then get them applied before the GlobalMatrixAuthorizationStrategy's ACL logic is used.