role-base-authorization

Where in the call stack should role checks be done?

In my typical app, the user clicks a button in an aspx page, invokes a C# business object, then runs a stored procedure. Should role checks be done at the top of the stack, the bottom of the stack or at every level? It seems that if a malicious user can invoke one method, he could invoke any, so for effective security, you'd need a ...

Roles/Priviledges in a Spring/Hibernate application

Hi, In a banking or similar application there are usually several roles defined and associated privileges required (for example a normal user could only do transactions but not post it while a supervisor can verify and post them, sort of maker/checker). We also need to add new roles and privileges in the system (not sure about the latte...