Looks like we need:
<sec:http pattern="/play/*" security="none" />
in etc/security/mh_default_org.xml for non-admin users to be able to play videos.
Steps to reproduce:
1. Publish a video with an ACL that allows a non-admin user to play it
2. Attempt to play video as the non-admin user
jetty permission denied
Video should play.