Spring ACL functions with variable references to parameters must match the parameter name exactly. There are two validations to be added here:

• validate that a PreAuthorize annotation on a non-abstract method with a hasPermission() function with a variable reference resolves to the declared parameters.
• validate that a variable reference in a PreAuthorize annotation on an abstract method matches the param name on the concrete methods.

Consider the scenario:

• write a service interface with PreAuthorize annotations that use Spring ACL
• implement the service interface with a class
• default behavior of most IDE's will be to generate the method w/ matching params which is good
• at some point in the future, you refactor the name of the params on the interface or the implementation. After all, they're just names so who cares?
• at runtime, the Spring ACL code won't be able to resolve the variable reference in the expression to the newly renamed param

I've run into this problem 4 or 5 times but not recently since I'm vigilant about it but it smacks of effort and barriers towards refactoring should be removed.