Web applications are usually structured into three logical tiers: presentation, business logic, and data processing. In most of current access control frameworks for Web applications, the control is enforced at business logic or data processing level. In contrast, this paper presents a two-stage approach where the enforcement of access control is divided between presentation level and business-logic level. A flexible menu generator is used to achieve presentation-level access control by restricting user menus to functions that a user`s current access-privileges permit. Other fine-grained access controls are enforced at the business-logic level using a modular scheme based on the aspect- oriented language AspectJ.