research-article

Design and implementation of user-managed access framework for web 2.0 applications

Authors:

Maciej P. Machulak,

Łukasz Moreń,

Aad van MoorselAuthors Info & Claims

MW4SOC '10: Proceedings of the 5th International Workshop on Middleware for Service Oriented Computing

Pages 1 - 6

https://doi.org/10.1145/1890912.1890913

Published: 29 November 2010 Publication History

Abstract

Web 2.0 applications allow individuals to manage their content online and to share it with other users and services on the Web. Such sharing requires access control to be put in place. Existing access control solutions, however, are unsatisfactory as they do not offer the functionality that users need in the open and user-driven Web environment. Additionally, such solutions are often custom-built and require substantial development effort, or use existing frameworks that provide benefits to developers only.

New proposals such as User-Managed Access (UMA) show a promising solution to authorization for Web 2.0 applications. UMA puts the end user in charge of assigning access rights to Web resources. It allows users to share data more selectively using centralized authorization systems which make access decisions based on user instructions. In this paper, we present the UMA/j framework which implements the UMA protocol and allows users of Web applications to use their preferred authorization mechanisms. It also supports developers in building access control for their Web 2.0 applications by providing ready-to-use components that can be integrated with minimum effort.

References

[1]

JSR-154: Java Servlet 2.5 Specification. http://jcp.org/en/jsr/detail?id=154. Accessed 29/09/2010.

[2]

OAuth leeloo. http://leeloo.smartam.net/. Accessed 29/09/2010.

[3]

OpenSSO Project. https://opensso.dev.java.net/. Accessed 29/09/2010.

[4]

OWASP Enterprise Security API. http://www.owasp.org/. Accessed 29/09/2010.

[5]

Spring Security. http://static.springsource.org/spring-security. Accessed 29/09/2010.

[6]

UMA 1.0 Core Protocol. http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol. Accessed 29/09/2010.

[7]

UMA Scenarios and Use Cases. http://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases. Accessed 29/09/2010.

[8]

OASIS eXtensible Access Control Markup Language (XACML). http://www.oasis-open.org/committees/xacml/, 2005. Version 2.0.

[9]

Simple Web Token. http://oauth-wrap-wg.googlegroups.com/web/SWT-v0.9.5.1.pdf, November 2009. Version 0.9.5.1.

[10]

Extensible Resource Descriptor (XRD) Version 1.0. http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html July 2010. Committee Specification 01

[11]

The OAuth 2.0 Protocol. http://tools.ietf.org/html/draft-ietf-oauth-v2, June 2010. (Work in Progress). Draft 09.

[12]

A. Cavoukian. Privacy in the clouds. Identity in the Information Society, 1:89--108, December 2008.

[13]

E. Hammer-Lahav. The OAuth 1.0 Protocol. RFC 5849 (Draft Standard), 2010.

[14]

E. Hammer-Lahav. Web Host Metadata. http://tools.ietf.org/html/draft-hammer-hostmeta, June 2010. (Work in Progress). Draft 13.

[15]

M. Hart, R. Johnson, and A. Stent. More content - less control: Access control in the web 2.0. In WOSP '08: Proc. of the First Workshop on Online Social Networks, New York, NY, USA, 2008.

[16]

M. P. Machulak, D. Catalano, E. L. Maler, and A. van Moorsel. User-Managed Access to Web Resources. In DIM '10: Proc. of the 6th ACM Workshop on Digital Identity Management, New York, NY, USA, 2010.

Digital Library

[17]

M. P. Machulak and A. van Moorsel. Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications. In ICDCS-SPCC 2010: Proc. of the 1st ICDCS Workshop on Security and Privacy in Cloud Computing, Genoa, Italy, June 2010.

Digital Library

[18]

M. L. Mazurek et al. Access control for home data sharing: Attitudes, needs and practices. In CHI '10: Proc. of the 28th Intl. Conf. on Human Factors in Computing Systems, New York, NY, USA, 2010.

Digital Library

[19]

C. Neuman, S. Hartman, and K. Raeburn. The Kerberos Network Authentication Service (V5). RFC 4120 (Draft Standard), 2005.

[20]

M. Nottingham and E. Hammer-Lahav. Defining Well-Known Uniform Resource Identifiers (URIs). RFC 5785 (Draft Standard), 2010.

[21]

Scholz, C. and Machulak, M. P. and Maler, E. L. OAuth Dynamic Client Registration Protocol. http://tools.ietf.org/html/draft-oauth-dyn-reg. Accessed 29/09/2010.

Cited By

Vattaparambil Sudarsan SSchelén OBodin U(2023)Multilevel Subgranting by Power of Attorney and OAuth Authorization Server in Cyber–Physical SystemsIEEE Internet of Things Journal10.1109/JIOT.2023.326540710:17(15266-15282)Online publication date: 1-Sep-2023
https://doi.org/10.1109/JIOT.2023.3265407
Xia XLi ZFan Y(2013)The Advanced "Rich-Client" Method Based on DOM for the Dynamic and Configurable Web ApplicationAdvanced Materials Research10.4028/www.scientific.net/AMR.756-759.1691756-759(1691-1695)Online publication date: Sep-2013
https://doi.org/10.4028/www.scientific.net/AMR.756-759.1691

Index Terms

Design and implementation of user-managed access framework for web 2.0 applications
1. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Software architectures

Recommendations

User-managed access to web resources
DIM '10: Proceedings of the 6th ACM workshop on Digital identity management

Web 2.0 technologies have made it possible to migrate traditional desktop applications to the Web, resulting in a rich and dynamic user experience and in expanded functionality. Individuals can create and manage their content online, and they are not ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Roles-based Access Control Modeling and Testing for Web Applications
WCSE '12: Proceedings of the 2012 Third World Congress on Software Engineering

Web applications are widely used in people's everyday life. They have permeated financial sectors, banking sectors, e-business and online shopping. Usually, different users have different permissions on these applications. Additionally, role-based ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

MW4SOC '10: Proceedings of the 5th International Workshop on Middleware for Service Oriented Computing

November 2010

47 pages

ISBN:9781450304528

DOI:10.1145/1890912

Conference Chairs:
Karl M. Göschka
Vienna University of Technology, Austria
,
Frank Leymann
University of Stuttgart, Germany
,
Schahram Dustdar
Vienna University of Technology, Austria
,
Helen Paik
University of New South Wales, Australia
,
Vladimir Tosic
National ICT Australia (NICTA), Australia
,
Lorenz Froihofer
Vienna University of Technology, Austria

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Professional
USENIX Assoc: USENIX Assoc
IFIP

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 November 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Technology Strategy Board

Conference

Middleware '10

Sponsor:

USENIX Assoc

Middleware '10: 11th International Middleware Conference

November 29 - December 3, 2010

Bangalore, India

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
333
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vattaparambil Sudarsan SSchelén OBodin U(2023)Multilevel Subgranting by Power of Attorney and OAuth Authorization Server in Cyber–Physical SystemsIEEE Internet of Things Journal10.1109/JIOT.2023.326540710:17(15266-15282)Online publication date: 1-Sep-2023
https://doi.org/10.1109/JIOT.2023.3265407
Xia XLi ZFan Y(2013)The Advanced "Rich-Client" Method Based on DOM for the Dynamic and Configurable Web ApplicationAdvanced Materials Research10.4028/www.scientific.net/AMR.756-759.1691756-759(1691-1695)Online publication date: Sep-2013
https://doi.org/10.4028/www.scientific.net/AMR.756-759.1691

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents