Anybody know of any useful models/patterns to handle web authorization? In particular, something that can handle the following basic scenarios:

1. Multiple "Site" entities supported by the same database.
2. User login to a Site. User can edit/view only his owned objects (Profile, Address, etc.)
3. Site Administrator login to administer Site.
4. Root Administrator login to administer all Sites.

Furthermore, add in other restrictions such as admin groups with permission to view or access certain functionality, etc., all backed by Hibernate persistence, and configurable via a web interface (to which, of course, an Admin must log in).

I've seen some stuff on the H3 JAAS integration and wasn't convinced that this is the way. (Control is too fine grained on an "Entity" level.)

Check out Chapter 18 on Filtering data in the reference docs. Seems like what you're talking about as far "visibility" is concerned.