Implementing Simple Security System

Hello,

I want to implement my own security system on my program. Its really simple and works like this: if the user's access level is greater than the access level of the class then they get to open the page else they have a message saying a higher access class is required. Access levels are simply ints ranging from 1 to 5.

The user login details are stored in a database. However, i'm not sure of the best way to store the class access levels. I could have a table in the database that stores them but think this is somewhat unsophisticated. Additionally, i could hard code the access level into the class....but again this is problamatic in case the access level's need to be changed. In the class to be opened, there is set and get methods for the access level.I thought perhaps i could serialize the class in question as a possibility.

However, i'm thinking it may be best to write the class access level to a file and then read in when required. From limited knowledge a friend suggested a XML file would be better to store this informtaion. Anybody got any thoughs or comments?

Cheers!

Why do you think having a table in the database would be unsophisticated? You can cache the information in your web app, and you can change levels without recompiling or editing files - just flush the cache.

A couple thoughts ... tying security to classes might be useful but it makes me a bit queasy. I'd rather tie it to a more abstract description of what's going on. For example, I would prefer "UpdateSalary" to "com.this.that.SalaryUpdaterServlet". It feels more likely to survive future changes to the system.

I've also had no luck with security levels, which imply a hierarchical structure in all my user permissions. It always turns out that somebody comes along with some of these abilities, and some of these others so they just don't fit in a tree structure. We've had more luck with users having roles and roles having any number of permissions.

Still, if hierarchy is right for you, go for it. As with any decision, try to hide it from the rest of your system. Make a nice interface that could be implemented with any implementation. Maybe

if ( user.hasPermission( someTask ) ) ...
-or-
if ( securityMgr.hasPermission( thisUser, someTask ) ) ...