Implementation of custom Permissions should be an easy task. However, if just look at JavaDocs available at Spring site, and you want to extend either AbstractPermission or BasePermission, it is not so easy. You have to call the only constructor taking two parameters: mask and code; but there is no hint in JavaDoc what is mask and what is code (personally I was able to guess what it mask, but I had no idea what is a code). In fact you have to download the source code for Spring Security and only then you can find the the code of AbstractPermission what is the meaning. I believe, you should be able to write you own Permission without looking into the source.
Also, Javadoc says you cannot use RESERVED_ON or RESERVED_OFF - but looking at JavaDoc you don't know their values!
So the JavaDoc should be improved.
Also, I don't understand why I have to pass the code. It is used only for printing the string-representation of Permission in logs or on console, so personally I don't care much (it can simplify debugging, but is not crucial definitively). Only mask is crucial. So why not provide second simplified constructor taking only mask, and using some default "ON" character for active bits (AclFormattingUtils already uses default character '*' for such case in one-arg printBinary() method, we can use it too - BTW. there is also bug in javadoc for this method, the actual character that is being printed is missing)