This problem, which appears in both 2.0.3 and 2.0.4, seems to be related to
but I'm not sure. I haven't done much research into the cause.
At any rate, I'm using the <security:accesscontrollist> tag but not the <global-method-security> element in the app context. (I know there's no inherent connection between the two, but I mention it because you need to remove <global-method-security> in order to reproduce the bug.) When the JSP that contains the tag runs, I get the following stacktrace:
java.lang.IllegalStateException: Mask 1 does not have a corresponding static Permission
Anyway, I tried one of the ideas in the above-mentioned JIRA issue (namely forcing a BasePermission load and the associated execution of the static initializer) and that solved the problem.
I assume that what's happening is that DefaultPermissionFactory is trying to carry permissions bits I've set either in the tags or else in the database to actual Permissions, isn't finding anything in the registeredPermissionsByInteger map, and is failing as a result.