First of all, is there a way to disable any native SQL code? In particular, I don't want to be able to do session.createSQLQuery("DROP TABLE tablename").

Also, I want to control the select/insert/update/delete privileges that a hibernate session exposes. For example, I would like to map a table to an entity class and use this mapping to only read from the table. Any changes that I make should not be reflected in the database. I don't want to use session.evict(). I have a HibernateUtil class like the hibernate tutorials suggest that exposes the session factory. So I would like to control the access at a higher level (perhaps some simple property in the mapping file that I'm missing?).

I've also tried the <cache usage="read-only"> and am using something called ehcache handler. But I find I can insert records using session.save and I don't want to be able to do this.

This is a non-hibernate answer to your question, but you could use AspectJ (http://www.eclipse.org/aspectj/) to cause compile errors to be raised if your code contains calls to certain methods. See "Contract Enforcement" of Chapter 1 of the Programming Guide. If you use this approach, you may want to make sure you understand AOP first.

To prevent calls to Session.createSQLQuery() you can for example wrap the Hibernate Session object in your own Session implementation. All methods that you want to block can simply throw an UnsupportedOperationException. Methods that are allowed are forwarded to the Hibernate Session.

The <cache> settings are for the second-level cache. It has nothing to do with read/write permissions on the database.

Have you tried using the Session.setReadOnly() and/or the Query.setReadOnly() methods? If you wrap the Hibernate session in your own implementation you can for example make all calls to Session.createQuery(), Session.get(), Session.load(), etc. automatically call the setReadOnly() method.

Certianly wrapping the Hibernate Session with your own implementation will eliminate any dangerous methods from being exposed.

I'd like to think you also have some security checks on your database that allows only certain types of things to be performed on your database by your application.