Not sure if this is the answer to your question, but it sounds like the same question I had on this, recently -- where/when does the ACL stuff get used?
The answer to that question is that there is an interceptor specified in one of the Spring XML files, around the "getAll()" method. That interceptor redirects control to the voter and the whole authorization procedure.
Hard to catch, even with a debugger. Hope that helps.