I've implemented a permissions based system with a custom tag to determine whether the current logged in user is to be presented with certain parts of a page.
So I can have something like this:-
This is configured in a config file (which also holds page level permissions) like this - where ADM is the user's role:-
<security:hasPermission permissionGroup="Admin" permission="View">
<html:link href="admin/administration.html"><fmt:message key="tabs.administration"/></html:link>
The permission group doesn't really mean anything, other than the fact that it's a way to group the rules together in a tidy way.
All this stuff (I've been posting lots of code on here recently) is due to come out in an Apache licensed set of Spring related utilities sometime in the early New Year. You can have a pre-release version (with no guarantees of being bug free of course) if you want.