How to implement security with OOP?

I am planning my first decent sized Java application. Since I am relatively new to OOP, I have a couple of questions. Many of the features in my application depend on knowing who the user is and their access level to screens and menu options. I need to create a menu system so that a user can only see their menu options. In addition, the user access level will determine how much of the screens they have access to that they will be able to use. For example two users may be able to use a data entry screen, but only one can actually save changes made.
My question is, how I set up a user object so that it is floating out there and when I need to know the user's security level, I grab the user object and ask it about its security clearance. I'm not sure that passing the user object all over the application is a very "Object oriented" way to perform this task. How should I set this up? Thank you very much!

Rather than user level, have you considered "keys"?
Is it possible that one user might have access to option a and not option b, while another user has access to option b and not option a?
If you give the first user the "a" key and the second user the "b" key, all of this works out.
As for OO: Yes, you should have a user object that contains the access authority information. And then have a secure object that knows how to test the authority.

Paul,
You seem to be suggesting some kind of idiom or approach for implementing security. Can you or someone else expand on this a bit.
I am pretty new to the language and its uses also, but my first instinct would be to implement a publicly accessible final class that used private members. (Actually, coming from the background that I do, my first instinct would be to store the info in a DB, but short of having one available this the next approach).

How would I do this? Use a 'key' I mean? I'm not understanding what you are getting at. The answer to your question is yes- one user might have access to option a and not option b, while another user has access to option b and not option a.
Thank you

Originally posted by Paul Wheaton:
Rather than user level, have you considered "keys"?
Is it possible that one user might have access to option a and not option b, while another user has access to option b and not option a?

If you give the first user the "a" key and the second user the "b" key, all of this works out.
As for OO: Yes, you should have a user object that contains the access authority information. And then have a secure object that knows how to test the authority.

(how did I miss the April 8th post?)
There are lots of ways to implement this. One way might be that a user has a hashtable full of strings that represent keys. When attempting to get access to something, the user object is passed in. The hashtable does a lookup for the required key - it's there, or it isn't!

James ,
I second both Betty and Paul ,have the permissions stored in database and load them statically (only once into Memory). Note in pre JDK 1.2 days Memory usually meant a Hashtable but you can also use other Collection classes.
In this case Paul is right in suggesting a Hashtable since many users may access the application at same time and all get/set methods are synchronized in a Hashtable.
The permissions can be a custom object which has only get() methods ,for example
public class JPermission {
//Implement it using a single object and manipulate it.
private BitSet permBits = new BitSet();
//or many integers which are not -1 to indicate this user has that particular permission.
private int read = -1;
private int write = -1;
public boolean isReadAllowed() {
//underlying business logic...
}
}
so each user is stored in a globally accessible Hashtable and do a get(User) which will return a Permission object and check for it.
Cheerio
Amit

How about using a session object instead of a hashtable?
That way if you're searching for a key you can query to see if that certain key is there and if it is not then the user does not have the key for it.
Anyone know if there are advantages of one over another?
Yoo-Jin.

Hi All,
How about using windows Access Control List to add / check permissions based on the user group? The only dis-advantage of this method is that it is tied to WIN NT.
Regards,
Milind