spring-hibernate service/dao security design query

I am trying to create various services, such as:

UserService
UserPermissionService
AddressBookService

Which would access dao's such as:

UserDao
UserPermissionDao
AddressBookDao开发者_运维知识库
CompanyDao

These will use Spring-Hibernate stack and be packaged in a backend jar for multiple webapps. I want the service functionality to be available depending on the permission of the calling user object. Also, Caller (user) object will have permissions of the calling user.

Query: Should I pass Caller to each Service method call and then check its permission? Or is there a better way using 'Spring/AOP' and/or 'Factory Pattern' where the Caller object can be available to the Service methods.

One of the patterns for this case is to store security token in a ThreadLocal and to require corresponding privilege from that token first thing in a service method.