Are there any java open source role-based access control system?
There are lots of possible solutions, but which one is best (i.e. meets your needs without being too heavyweight or too complicated to implement) depends on your requirements:
Are you talking about access control for a web service, or something else?
What kind of access control are you looking to implement? Based purely on resource URLs, or depending on the state / metadata of the requested entities? Are the roles simple or hierarchical? Do different actions require different roles?
Do you need to deal with authorization as well?
I presume that the question that you are trying to answer is:
Does user u have access to do operation op on object o?
One thing to consider is how are your domain objects and user groups defined from a business perspective (outside of the AC mechanism). For any RBAC implementation, you would need to configure it to tell what your users and user groups are. That will affect your choice of RBAC implementation.
Another (more specific) question: do you need to support override permissions, includes and excludes? Specifically, do you want to be able to support the scenario that object o1 is available to usergroup g1, but not user u1 (who is part of group g1)?
Depending upon the specific answers, jguard (which is built over JAAS) might be a very good option - http://jguard.net/