I assume that you are talking about ACL = Access Control List
http://java.sun.com/j2se/1.3/docs/api/java/security/acl/Acl.html http://java.sun.com/javaone/javaone97/java1-97-security.html This quote makes it look like they are expecting you to use directory and object based security.
from :
http://java.sun.com/features/1997/aug/jws1.html
In addition to the Server Sandbox, Access Control Lists are a key feature of server security. ACLs are used for various levels of authentication and authorization in the server and in Java Servlets. There is a server-wide ACL (see sidebar on issues for Unix variations), and separate ACLs can be specified for any file or directory, or for a specific Java Servlet. Because all user information is passed to the Java Servlet as part of the HTTP request in the service routine, Java Servlets can implement additional authorization as a part of the service method. Remote Java Servlets can be signed or unsigned, and each signer has a set of privileges as described by the Java Servlet ACL in the Java ServletMgrRealm.
and not
ACL = Agent communication language
http://java.sun.com/aboutJava/communityprocess/jsr/jsr_087_jas.html