I have read about Spring ACL but it does not seem to be very competent. For example:

1. No way to list all objects of type X with permission Y
2. No way to automatically create the schemas for new deployments

What are you using for ACL? Is it clever to have the ACL so decoupled from the domain model?

We attempted to use the Spring ACL model and found it unwieldy. We ended up rolling our own, much simpler (but also less generic), implementation and then writing the Spring Security pieces (accessDecisionManagers, Voters, Interceptors) to handle our schema. Hope that helps.

You might want to have a look at Apache Shiro.

From the site: Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

Many people prefer the way Shiro handles permissions

If using Hibernate, you can automatically run the acl schema against the db by adding this to persistence.xml:

<property name="hibernate.hbm2ddl.import_files" value="/import.sql"/>

<property name="hibernate.hbm2ddl.import_files_sql_extractor" value="org.hibernate.tool.hbm2ddl.MultipleLinesSqlCommandExtractor" />

and adding the schema to /resources/import.sql

You can list all objects of type X with permission Y like this:

select 
  *
from acl_entry a 
join acl_object_identity b on a.acl_object_identity = b.id
join acl_class c on b.object_id_class = c.id
where
  class = X
  and mask = Y

However, Spring Security ACL is fundamentally flawed in terms of Row Security, due to pagination issues. You should do Row Security in the database with views or built-in tools if your db supports them.