Does anyone know of any good design patterns for showing/hiding content based on user's roles? For instance, if a user logs in I know that I can find out if they are in a role "ADMIN" by doing isUserInRole("ADMIN") but I really would prefer not to hardcode roles in the JSP?
Indeed, you should not be hardcoding roles in a JSP. This kind of decision should be made in the controller (maybe a servlet), which sets a boolean attribute, based on which the JSP can make decision on what to render.
Instead of hardcoding role names, you can keep the role names in a separate config file, and then use logical names for them in the application. That way you can change roles later w/o having to change the code.