Criteria based authorization check with spring security?

How does spring security support dynamic role & permission? For example, the role can be generated at runtime by end users. Each role can include multiple permissions which can be created/updated at runtime. Each permission is base on criteria like delete topic if no activity for 3 months. The ACL of spring security can't support it since records of acl_entry are static instead of dynamic. How to customize spring security to support such requirement?

Spring Security 3 supports expression based authorization: it allows you to express secuirty constraints as arbitrary expressions in Spring Expression Language. By default you can use methods of SecurityExpressionRoot in these expressions.

However, you can add your own methods by customizing MethodSecurityExpressionHandler.createEvaluationContext(), so that you can define arbitrary criteria and use them in these expressions. Also see What's the difference between @Secured and @PreAuthorize in spring secu 3 ?.