So after looking into a good way to solve this one here is what I came up with. First I looked at using a tree structure (suggested by Andrea) the same way the data access rules do. The problem his however that the set of resources being secured is not really discrete. And in the rest security they are specified with arbitrary regular expressions like /*/workspaces/*, etc... Which makes them hard to sort with respect to one another and hard to build a tree from them.
So I opted for a lower tech solution and that is just to maintain the order of the rules when read from the underlying property file. Therefore any exceptions can go at the top of the file and the catch all rules like "/**" can go at the bottom to achieve the desired goal.