xAccess: A unified user-centric access control framework for web applications

Abstract

With the rapid growth of Web 2.0, users are contributing more and more content on the Internet, in the form of user profiles, blogs, reviews, etc. With this increased sharing comes a pressing need for access control policies and mechanisms to protect the users' privacy. Access control has remained largely centralized and under the control of the web applications. Moreover, most web applications either provide no or very primitive and limited access control. We argue that the owner of any piece of data on the web should be able to decide how to control access to this data. This argument should hold not only for the web applications contributing data, but also for the contributing users. In other words, users should be able to choose their own access control models to control the sharing of their data independent of the underlying applications. In this work, we present a novel framework, called xAccess, for providing access control that empowers users to control how they want their data to be accessed. xAccess is analogous to the single sign-on mechanism, however, instead of providing login capability, it provides the user with a single point for defining his access control models and policies for one or multiple applications. On one hand, xAccess enables individual users to use a single unified access control across multiple web applications; and on the other hand, it allows an application to support different access control models deployed by its users with a single model abstraction. We demonstrate the viability of our design by means of a platform prototype. The usability of the platform is further evaluated by developing sample applications using the xAccess APIs.