SAuthMash: mobile agent based self authorization in mashups

Quantified Score

Visualization

Abstract

Mashups are web based applications that merge contents (data and code) from multiple sources, and provide an integrated view to the user. One of the main requirements in mashup is the authorization of user to the backend services. Current protocols for authorization in mashup have obvious limitations. With strawman approach a malicious or compromised mashup can leak user credentials. OAuth approach has the scalability problem and requires a statefull server at the backend service. AuthSub issues only single use token and obtaining session token requires additional steps and also explicit revocation, which may not be possible in some situation. The problem with Permit based approach is that it requires separate permit for each backend service and also require renewal or obtaining new permit in case of mashup requirements changes (e.g. read to execute). Revocation is a problem in this approach as well. In this paper we propose a new protocol for accessing backend services in mashup. Our protocol makes use of Java based mobile agent called Aglet. The main source of problem in above approaches is due to delegating the authorization process to mashup. In our approach, mashup that require content from backend services that content is accessed and provided to the mashup through Aglet, without delegating authorization rights or releasing credentails to the mashup. Aglet has the ability to move around the nodes of a network and to sense its environment and to perform the desire actions. So the stated limitation of above approaches can be overcome with our Aglet based approach by allowing the Aglet to move across different mashup and backend services and provides data and code as necessary.