In this paper, we compare three open source access control languages, XACML, JAAS and Java ACL. In addition to a conceptual analysis, we use a Web-based health care system as a common application, in which controlled access is implemented through each of the languages. We compare the languages using standard software metrics, such as reusability, policy expressiveness, extensibility, error handling, and programmatic control. The results of the comparative study indicate a high degree of variance in the three languages. They can serve as a useful guide for software developers to select an access control language that best meets their requirements.