I am in the process of writing an ACL based authorization system which checks permission on a URL level. It is supposed to be transparent and Authentication system agnostic. It is implemented as a post controller constructor hook.
Sadly its not finished. but you can check it out on github and fork it if you feel like finishing it. atm it only works with ACLs coded in a config file, but it allows for an external group/role source (i just havent written one yet).
