if the application stores the file in the file system and gives the url to the userOnly if you allow PUT access to that URL.
Can we just stream the file?Yes, just make sure you set a Content-Type and possibly a Content-Disposition. These are HTTP attributes, not Java or J2EE.
Does java EE support ACL for each session or each user to access the file?Yes, if you are using container managed security, you can define all that in web.xml.
Or do I have to use kind of impersonation for each session bean?Eh?