Unfortunately I need ACL management for this project, so I can't use ModeShape .
Too bad, I was starting to enjoy ModeShape.
Thanks for your answer.
I should have mentioned this earlier: with ModeShape you can plug in custom authentication and/or authorization to dictate read, write, and administrative access based upon path. With this you'd be able to enforce just about any straightforward security policy, but it doesn't use the standard JCR API for ACLs.