Collaboration by passing access rights for personal protected Web resources

This paper describes how users can collaborate through sharing personal protected Web resources. Personal protected Web resources are Web pages and services that are typically password-protected. One example is a personal page on an auction site. This paper introduces capability-based access control to the World Wide Web without modifying existing servers and clients. Access rights for personal protected Web resources are represented as capabilities for the Web resources. When users collaborate, capability-based access control on the Web has two advantages over conventional access-control-list based access control. First, a user can easily pass his/her own capabilities to access Web resources to other users along with delegating tasks. For example, a parent can ask a child to bid on a PC on behalf of the parent by passing the capability to access the parent's auction page but not giving the child the password. Second, restricted capabilities are useful in passing access rights. For example, before a parent passes the capability to bid on a PC to a child, the parent can create a restricted capability that allows biding up to $100 on a PC from the original unlimited capability. The proposed method has been implemented as Web applications called CapaEdit and CapaGate in Java by using the Google Web Toolkit. Using CapaEdit, a user can interactively create a capability to access his/her personal protected Web resources with access control to hyperlinks and form parameters. The receiver of the capability can access the Web resources through CapaGate, which enforces the restrictions. Experimental results show that these Web applications perform well enough for interactive use.