Framework like Spring Security for Java EE?

Spring Security offers many powerful security mechanisms but it doesn't fit properly into a Java EE (EJB) environment. One problem is that Spring Security stores the SecurityContext in a ThreadLocal object which is not suitable for clusters. Spring Security relies on services (AOP for example) from Spring core which are not available if the EJB container manages the object. And Spring Security needs Spring core to wire itself, what I'd like to avoid since Java EE has already dependency injection mechanisms.

Is there a security framework tailor-made for Java EE? I'd like to have ACLs or a more flexible role mechanisms for example.

If neither the Java EE security model nor Spring Security suit your needs, then I'm afraid you'll have to roll out your own custom solution - maybe a custom JAAS LoginModule - as you won't find anything equivalent (at least not in the open source world to my knowledge). But be aware, JAAS is not really a pleasant API and this won't be an easy task. More resources on this topic in Further Information about Security (see the bottom of the page).

Have you tried Seam Security? It supports ACLs, if I remember correctly.