If this happens to be an intra-net application, then by far (IMHO) the best approach is to use LDAP authentication at an Apache (or other server) level, which will centralize both the authentication and the authorization controls for this and for all other applications in one convenient spot that your company will already be using.   You can wall-off access to the site or to a portion of it without having to write special code at all.   You can query the identity of the connecting user and his privileges, group memberships and so on very easily.