ABSTRACT
Mashups are web based applications that merge contents (data and code) from multiple sources, and provide an integrated view to the user. One of the main requirements in mashup is the authorization of user to the backend services. Current protocols for authorization in mashup have obvious limitations. With strawman approach a malicious or compromised mashup can leak user credentials. OAuth approach has the scalability problem and requires a statefull server at the backend service. AuthSub issues only single use token and obtaining session token requires additional steps and also explicit revocation, which may not be possible in some situation. The problem with Permit based approach is that it requires separate permit for each backend service and also require renewal or obtaining new permit in case of mashup requirements changes (e.g. read to execute). Revocation is a problem in this approach as well.
In this paper we propose a new protocol for accessing backend services in mashup. Our protocol makes use of Java based mobile agent called Aglet. The main source of problem in above approaches is due to delegating the authorization process to mashup. In our approach, mashup that require content from backend services that content is accessed and provided to the mashup through Aglet, without delegating authorization rights or releasing credentails to the mashup. Aglet has the ability to move around the nodes of a network and to sense its environment and to perform the desire actions. So the stated limitation of above approaches can be overcome with our Aglet based approach by allowing the Aglet to move across different mashup and backend services and provides data and code as necessary.
- Dion Hinchcliffe's Web 2.0 blog. Available at: web2.socialcomputingmagazine.com.Google Scholar
- Google. Google Account Authentication (AuthSub). Available: http://code.google.com/apis/accounts/AuthForWebApps.html.Google Scholar
- IBM, Aglets Software Development Kit, Aglets Documentation. 2005. Available: http://www.trl.ibm.co.jp/aglets/.Google Scholar
- OAuth Specification 1.0. 2007. Available: http://oauth.net/core/1.0.Google Scholar
- A. Castillo, M. Kawaguchi, N. Paciorek, and D. Wong. Concordia as enabling technology for cooperative information gathering. In Japanese Society for Artificial Intelligence Conference, pages 228--237, June 1998.Google Scholar
- Nick Craswell, Jason Haines, Brendan Humphreys, Chris Johnson, and Paul Thistlewaite. Aglets: a good idea for spidering? Available: research.microsoft.com/pubs/65286/craswell-idea97.pdf.Google Scholar
- M. Dikaiakos and D Gunopoulos. The architecture of an internet based financial information gathering infrastructure. In Proceedings of the International Workshop on Advance Issues of E-Commerace and Web-based Information Systems, IEEE Computer Society, Apr 1999. Google ScholarDigital Library
- Ragib Hasan, Marianne Winslett, Richard Conlan, Brian Slesinsky, and Nandakumar Ramani. Please permit me: Stateless delegated authorization in mashups. In Proceedings of the Annual Computer Security Application Conference, IEEE Computer Society Press, Anaheim, California, Dec 2008. Google ScholarDigital Library
- Jon Howell, Collin Jackson, Helen J. Wang, and Xiaofeng Fan. Mashupos: Operating system abstractions for client mashups. In HotOS, 2007. Google ScholarDigital Library
- N. Kulathuramaiyer. Mashups: Emerging application development paradigm for a digital journal. Journal of Universal Computer Science, 13(4):531--542, Apr 2007.Google Scholar
- D. Merrill. Mashups: The new breed of web app. 2006. Available: http://www.ibm.com/developerworks/xml/library/x-mashups.html.Google Scholar
- Tim O'Reilly. What is web 2.0. O'Reilly Network, Aug 2006. Available: http://www.oreilly.de/artikel/web20.html.Google Scholar
- S. Papastavron, G Samaras, and E Pitoura. Mobile agents for www distributed database access. In Proceedings of the Fifteenth International Conference on Data Engineering, pages 228--237, Mar 1999. Google ScholarDigital Library
Index Terms
- SAuthMash: mobile agent based self authorization in mashups
Recommendations
An XML standards based authorization framework for mobile agents
MADNES'05: Proceedings of the First international conference on Secure Mobile Ad-hoc Networks and SensorsAn outstanding security problem in mobile agent systems is resource access control, or authorization in its broader sense. In this paper we present an authorization framework for mobile agents. The system takes as a base distributed RBAC policies ...
A design of usable and secure access-control APIs for mashup applications
DIM '09: Proceedings of the 5th ACM workshop on Digital identity managementMashups, which are applications that are developed rapidly by combining multiple Web applications, are currently gathering much attention. One issue arising when creating mashups using data that is subject to access control is the difficulty in adding ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Comments