This is really just a piece of metadata to identify the specific domain object type (e.g. Contact) to which an ACL applies. In practice it is converted to a String (the classname) when stored in the database. There's no real requirement that it should be a unique Java class or that the class should be loadable when the ObjectIdentity is created. It would be more flexible if it was just treated as a String.
on the interface should be changed to return a String, and the property should be changed to "type" or "objectType" or something similar.