SEC-439: Do not modify the object (ie replace it with null) unless the provider is supposed to fire according to the processDomainObjectClass property.

core/src/main/java/org/acegisecurity/afterinvocation/AclEntryAfterInvocationProvider.java

@@ -92,7 +92,7 @@ public class AclEntryAfterInvocationProvider extends AbstractAclProvider impleme
                         logger.debug("Return object is not applicable for this provider, skipping");
                     }
 
-                    return null;
+                    return returnedObject;
                 }
 
                 if (hasPermission(authentication, returnedObject)) {