Below is my configuration:
<global-method-security pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
<expression-handler ref="expressionHandler"/>
<protect-pointcut expression="execution(* com.myService.save(..))"
access="ACL_WRITE,ROLE_ADMIN"/>
<after-invocation-provider ref="afterAclObjectRead"/>
<after-invocation-provider ref="afterAclCollectionRead"/>
</global-method-security>

I am using spring security 3.1 with ACL's and expecting access="ACL_WRITE,ROLE_ADMIN" will grant access to user with ROLE_ADMIN OR ACL_WRITE but it is working like an AND condition ie granting access only when user has both ACL_WRITE AND ROLE_ADMIN.

I strictly what to do it in XML and not using annotations also i don't want to grant ACLs to ROLE_ADMIN because going forward i might want to give the save access to some other ROLE's based on business requirements.

How can i solve this? How can i make it work as an OR condition?

Also i couldn't use EL here is there anyway i can do something like access="ACL_WRITE or hasRole('ROLE_ADMIN')"