Fundamental security-noob questions

I'm attempting to secure my web app using spring security. I'm securing it down at the service layer where I expose a few objects in an application-context.xml file that is then used by the web app. I have two jars: myservice.jar and mywebapp.jar. The service layer talks to a bunch of DAO objects etc, which are also present in the appilication-context.xml file (so that the service objects can find them).

I have a custom UserDetailService which access the database. My implementation of UserDetails is something that I want to control access to: quot;super usersquot; have the ability to modify other UserDetails: e.g. to disable them, reset passwords etc. Access to all this is through a service object.

My question is: what is to stop code in the webapp layer just getting hold of the DAO objects and using them directly?

And if the answer to that is quot;nothingquot;, then I presume I must also secure the DAO objects, and if so, how do I have my UserDetailsService get access to user objects when user objects is one of the resources that I'm protecting? How do I get a UserDetail object to verify a log-in, when by definition no one is logged in yet?

This seems fundamental so please will someone point out the obvious to me.

Jamie

Since administrative functions are insert/update/delete, you can put administrative security restrictions on those methods while leaving read methods in your DAO open to all users.

If there is information that needs to be non-readable to a user, you can make multiple read methods that are only called from their respective portions of code. I hope that makes sense.