Privacy-preserving authorization method for mashups

Mashups, which use multiple sources to create a new service, emerged as an evolution of Web 2.0. However, scalable access control for mashups is difficult. To enable a mashup to gather data from legacy applications and services, users must obey as the mashup host orders. These orders are created without any standard or limits about the privacy protection. This authorization approach violated the principle of least privilege and leaves users vulnerable to misuse of their private information by malicious mashups. To overcome the limitations, we introduce the privacy-preserving authorization method for mashups, which encapsulates the data of backend services with different private sensitivity degrees before the authorization process executes. We also give the data-user relationship model to make standard for backend services when defining private sensitivity degrees of users' data. In this progress, standard encapsulation file and authorization file are created successively. In the end, the authorization steps, which could be set stored for regular use of the mashups, are created based on the authorization mechanism and authorization file. The proposed method mainly focuses on the users and backend services, which are the real data owners. Through this method, users have the ability to observe and control the data involved in the mashup, and the backend services can take the responsibility of their users' private information protecting. In the end of the paper, the application example and a series of experimental study are given to demonstrate the feasibility and efficiency of this method. Copyright © 2015 John Wiley & Sons, Ltd.

[1]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[2]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[3]  Anas Abu Taleb,et al.  An efficient and scalable ranking technique for mashups involving RSS data sources , 2014, J. Netw. Comput. Appl..

[4]  Miroslaw Malek,et al.  Current solutions for Web service composition , 2004, IEEE Internet Computing.

[5]  Georg Lausen,et al.  Mashing Up the DEEP Web - Research in Progress , 2008, WEBIST.

[6]  Mary Beth Rosson,et al.  Mashups: who? what? why? , 2008, CHI Extended Abstracts.

[7]  Qing Liao,et al.  Open identity management framework for mashup , 2010, 2010 IEEE 2nd Symposium on Web Society.

[8]  Narayanan Kulathuramaiyer,et al.  Mashups: Emerging Application Development Paradigm for a Digital Journal , 2007, J. Univers. Comput. Sci..

[9]  Qi Zhao,et al.  iMashup: a mashup-based framework for service composition , 2013, Science China Information Sciences.

[10]  Halit Oguztüzün,et al.  A Mashup-Based Strategy for Migration to Service-Oriented Computing , 2007, IEEE International Conference on Pervasive Services.

[11]  Xiaodong Liu,et al.  Requirements model driven adaption and evolution of Internetware , 2014, Science China Information Sciences.

[12]  Marianne Winslett,et al.  Please Permit Me: Stateless Delegated Authorization in Mashups , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[13]  Michael Steiner,et al.  SMash: secure component model for cross-domain mashups on unmodified browsers , 2008, WWW.

[14]  Michio Shimomura,et al.  A design of usable and secure access-control APIs for mashup applications , 2009, DIM '09.

[15]  Xinwen Zhang,et al.  MAuth: A Fine-Grained and User-centric Permission Delegation Framework for Multi-mashup Web Services , 2010, 2010 6th World Congress on Services.

[16]  Wei Sun,et al.  Towards Service Composition Based on Mashup , 2007, 2007 IEEE Congress on Services (Services 2007).

[17]  George Lawton Web 2.0 Creates Security Challenges , 2007, Computer.

[18]  Mary Ann Davidson,et al.  Enterprise Security for Web 2.0 , 2007, Computer.

[19]  Frank Leymann,et al.  Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More , 2005 .

[20]  Scott R. Klemmer,et al.  Hacking, Mashing, Gluing: Understanding Opportunistic Design , 2008, IEEE Pervasive Computing.