I have a pretty complex requirement for the permissions framework for my application where we have users and groups(of users). Users can be associated with multiple groups with relationships like Group Lead, Group Member, Group Guest. A user can be associated to his subordinate users i.e the one's who reports to him.
Now I have permissions such that each permission can have multiple scopes like "Create a report template" is a permission that can have scopes like "for groups that I lead", "for groups that I am member of", "groups I am guest of", "for users who report to me". The permission can be checked for none or all of the above categories for a user.
My security service cannot be applied at the controller layer as my client can be a GWT widget that directly uses the Java service. So I need to apply the security at the Java service level preferably using annotation based security like the one Spring Security provides as I do not intend to write security codes inside my service methods.
My research on Spring Security ACL has not been able to fit my requirements as I did not find the interfaces flexible enough to accommodate my needs or maybe there is something that I am missing.