I think you can determine the "dynamic" role names of interest, and as such I think you can use isUser/CallerInRole to test for sufficient privilege... but for this to work you will need to have integrated a policy provider that is able to determine roles and role membership wrt to roles that are defined post-deployment time, and that (dynamically) grants roleRef permissions based on dynamic role mappings.
Another (approach) would be to work with static role names, and to use the folder name to identify or select the principal(s) mapped to the permitted role. This approach would also require a custom policy provider (and would likely work better in the web-tier) where the request url can be (fetched by the policy provided) and used to identify the target folder and the authorized Principal or Group.
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=294010