User-managed access to web resources

Web 2.0 technologies have made it possible to migrate traditional desktop applications to the Web, resulting in a rich and dynamic user experience and in expanded functionality. Individuals can create and manage their content online, and they are not only consumers of Web services, but also active participants on the Web platform. As a result, potentially large amounts of personal, sensitive, and valuable data is put online, spread across various Web services. Users sometimes share this data with other users and services on the Web, but are also concerned about maintaining privacy and sharing their data securely. Currently, users must use diverse access control solutions available for each Web service to secure data and control its dissemination. When such mechanisms are used on a daily basis, they add considerable overhead, especially since these mechanisms often lack sophistication with respect to functionality as well as user interfaces. To alleviate this problem, we discuss a novel approach to access management for Web resources that includes a user as a core part of its model. The proposal puts the user in charge of assigning access rights to resources that may be hosted at various Web applications. It facilitates the ability of users to share data more selectively using a centralized authorization manager which makes access decisions based on user instructions.

[1]  Roy Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures"; Doctoral dissertation , 2000 .

[2]  W Kimberley,et al.  Protect and serve , 1999, Nature.

[3]  Maciej Machulak,et al.  A Novel Approach to Access Control for the Web , 2009 .

[4]  Tim O'Reilly,et al.  What is Web 2.0: Design Patterns and Business Models for the Next Generation of Software , 2007 .

[5]  Dick Hardt,et al.  The OAuth 2.0 Protocol , 2010 .

[6]  Tim O'Reilly,et al.  Web Squared: Web 2.0 Five Years On , 2009 .

[7]  Glenn Palmer,et al.  To Protect and to Serve , 2003 .

[8]  Aad P. A. van Moorsel,et al.  Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops.

[9]  Lujo Bauer,et al.  A General and Flexible Access-Control System for the Web , 2002, USENIX Security Symposium.

[10]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[11]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[12]  Thomas Hardjono OAuth 2.0 support for the Kerberos V5 Authentication Protocol , 2010 .

[13]  Kirstie Hawkey,et al.  Secure Web 2.0 Content Sharing Beyond Walled Gardens , 2009, 2009 Annual Computer Security Applications Conference.

[14]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[15]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[16]  Dirk Balfanz Usable access control for the World Wide Web , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[17]  Ann Cavoukian,et al.  Privacy in the clouds , 2008 .

[18]  Roxana Geambasu,et al.  Organizing and sharing distributed personal web-service data , 2008, WWW.

[19]  Dion Hinchcliffe,et al.  Web 2.0 Architectures - What entrepreneurs and information architects need to know , 2009 .

[20]  Sabrina De Capitani di Vimercati,et al.  Expressive and Deployable Access Control in Open Web Service Applications , 2011, IEEE Transactions on Services Computing.

[21]  Alec Wolman,et al.  Lockr: social access control for web 2.0 , 2008, WOSN '08.

[22]  Michael B. Jones,et al.  Identity Metasystem Interoperability Version 1.0 , 2008 .

[23]  Andrew C. Simpson,et al.  On the need for user-defined fine-grained access control policies for social networking applications , 2008, SOSOC '08.

[24]  Tim O'Reilly,et al.  What is Web 2.0: Design Patterns and Business Models for the Next Generation of Software , 2007 .

[25]  Rob Johnson,et al.  More Content - Less Control: Access Control in the Web 2.0 , 2006 .

[26]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[27]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[28]  Hao Chen,et al.  Secure file system services for web 2.0 applications , 2009, CCSW '09.

[29]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2010, RFC.