Basing on my recent investigation, most common options to implement security in Java are:
- JAAS
- Spring Security
- Apache Shiro
Since you seems to be looking for rather basic mechanisms for permision checks, Apache Shiro may be best option to start with - it is simplier than others, integrates with Spring Framework and also has built-in JSP integration (some tag library to add permission checks right to your JSP page).