For the moment, to check the permission on an object in JSP page, you can use the AccessControlListTag.
But, I think it would be a good idea to call hasPermission method from the AuthorizeTag :
<sec:authorize access="hasPermission(#book, 'write')"> where the book variable is provided from the page context.
Related issue :
Now, when you call hasPermission method from AuthorizeTag, this throw a NullPointerException because the permissionEvaluator is not defined in the WebSecurityExpressionRoot :
Caused by: java.lang.NullPointerException