I want to know about implementation of ACL (Athentication / Authorization) and security stuff on next version (4.2) and for future versions.
For now, if I undestood right, this capabilities are not available as part of JESB. I read this on button of page 16 of Programmers Guide (pdf from trunk):
Access control lists (ACLs) are important and complimentary to security protocols, such as WS-Security/WS-Trust, and often overlooked by existing implementations. JBossESB will support ACLs are part of the security capabilities.
The documentation sometimes describes what we'd like to have eventually. ACLs are definitely not on the 4.2 roadmap. In a SOA these sorts of things should be rolled into the governance, service lifecycle and SLA development, which we won't address completely until the 5.x timeframe. However, if you can describe your particular scenario, it may be possible to offer advice for you now.