Group and acl on Spring Security

Check Spring Security 3.0, you might be able to avoid using ACL at all by using the Spring Expression Language.

For instance, for editing a forum, you would have a method secured like this:

@PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
public void updateForum(Forum forum) {
    //some implementation
}

You would then implement the hasPermission method in a custom permission evaluator, like:

public class ForumPermissionEvaluator implements PermissionEvaluator {

    public boolean hasPermission(Authentication authentication,
            Object domainObject, Object permission) {
        //implement
    }

    public boolean hasPermission(Authentication authentication, 
            Serializable targetId, String targetType, Object permission) {
        //implement
    }
}

Finally, wire it up together in the application config:

<beans:bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
  <beans:property name="permissionEvaluator" ref="permissionEvaluator"/>
</beans:bean>

<beans:bean id="permissionEvaluator"
    class="x.y.z.ForumPermissionEvaluator" />

I would just use your Groups like Roles. I've found the Spring ACL implementation to be pretty unwieldy and for the most part unusable. Just assign users to "groups" (Roles in all actuality) and check them as you would normal role based authorization.