Debug logs are filled with lines like this one:

2012-08-15 17:03:05,016 DEBUG info.magnolia.jaas.sp.jcr.JCRAuthorizationModule  : ACL: info.magnolia.cms.security.ACLImpl@59b5b945

This is quite meaningless. Two simple suggestions:
1) log the username (yes, it's log a few lines above, but if two users log in at the same time, you're lost)
2) implement toString() on info.magnolia.cms.security.ACLImpl so that this becomes useful. Since info.magnolia.cms.security.PermissionImpl already has a toString(), it should be straightforward - print out the name and the list of permissions of the ACL.

Additionally, you might want to make the log message a little more meaningful - i.e saying what's happening with that ACL (something like "adding ACL to user {}: {}" I guess?)