If the objects in question can be viewed by anyone then you do not need to apply ACL to them. Apply ACL only to operations that modify such objects.
If the visibility (public/private) is configurable per object, you can use dedicated flag for it and drive visibility by this flag (e.g. by means of expression-based access control).
However, if you wanna stick to ACL also for such objects, you can create dedicated role (e.g. ROLE_READER) and assign the role dynamically to both anonymous and authenticated users when being authenticated.
See class org.springframework.security.core.authority.mapping.SimpleAuthorityMapper
that can be configured with default authority (ROLE_READER in your case) to be assigned to all users. Then use the mapper during your authentication process. Since you did not specify the way your users are being authenticated, I suppose username/password schema and default org.springframework.security.authentication.dao.DaoAuthenticationProvider
. if you look at that class closely, you find out that you can set an authority mapper to be used.
In case of anonymous users, you can set default authorities as constructor parameter of org.springframework.security.web.authentication.AnonymousAuthenticationFilter
.