Has anyone come across any best practices for data-level security in Hibernate? Any source of information, links etc ?

The best practice for security reasons is not to have security in Hibernate :)

Application level security for data is the same as application level data validation, it is more UI helper than security.
If you need security then use native data base security or use stored procedures/triggers to implement custom security.
Mapping will be more complicated, you will need to use views for all tables and "RULE"/"INSTEAD OF TRIGGER" to "hide" procedures. It takes a lot of to time to design this kind of database, but you must pay this if you need quality and security.

This is impossible if you desgn your application to be database independant (including for example MySQl which has no trigger nor view support). If you write your complete update/save/security strategy in the database you will never be able to easily portrable to a different platform. So there is a definate use/need for security in the Hibernate level.

Save / update / delete security can be built using interceptors and or validators by implementing Validatable.

Is it some meaning to design application this way ? If application works on mySQL then there is no meaning to buy database for this app and to pay for unused features.

But if you design an application that is to e deployed on client machines on which an oracle installation is running and no MySQL can be installed by company policy there is not much of a choice is there?

Use embeded database for this kind of applications like Cloudscape or Pointbase.

Those don't scale well in larger applications and don't offer replication, automated backups and can't be maintained by existing DBA's at the client. No, Hibernate was built to be database independent and we use this feature whenever possible.

So it means you need real database, not mySQL. Is it so hard to understand ?