Can anyone recommend an off the shelf ACL Java lib?
I'm not having any luck finding one.
Apache Ki (formerly known as JSecurity) could be what you're looking for if you're not afraid of doing some things yourself. I've personally created a completely transparent, annotation based, per-page web application security model (relying on both user roles/permissions and group roles) with it and it's capable of a lot more than just that.
There's Spring Security (previously known as Acegi).
Haven't used it myself, but I've heard good things about it. Most effective when used with the rest of Spring, obviously, but I think you can use it in a general way.
Spring Security (formerly Acegi) will be the one most people recommend. In the end I found it very hard to setup up the way I wanted it to behave. Mainly because I didn't want to check access against the role of a user. What I wanted was user's who belong to user groups (ie. have roles) which then have "permissions" and access is checked against a "Permission", not a role (user group).
Have a look at Apache Shiro. It's built to handle authentication, authorization, cryptography, and session management. It seems to be designed to be easier to use than Spring Security.
I've just been researching on java libraries to handle ACL and this is actually out of the incubator (Shiro is now ver. 1.2), unlike Apache Ki. It's quite confusing when Apache has multiple projects covering the same area.
take also a look to: