End-to-End Security for Enterprise Mashups

  • Florian Rosenberg
  • Rania Khalaf
  • Matthew Duftler
  • Francisco Curbera
  • Paula Austel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5900)


Mashups are gaining momentum as a means to develop situational Web applications by combining different resources (services, data feeds) and user interfaces. In enterprise environments, mashups are recently used for implementing Web-based business processes, however, security is a major concern. Current approaches do not allow the mashup to securely consume services with diverse security requirements without sharing the credentials or hard-coding them in the mashup definition. In this paper, we present a solution to integrate security concerns into an existing enterprise mashup platform. We provide an extension to the language and runtime and propose a Secure Authentication Service (SAS) to seamlessly facilitate secure authentication and authorization of end-users with the services consumed in the mashup.


Authentication Protocol Security Element Target Service Secure Authentication RESTful Service 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Yu, J., Benatallah, B., Casati, F., Daniel, F.: Understanding Mashup Development. IEEE Internet Computing 12(5), 44–52 (2008)CrossRefGoogle Scholar
  2. 2.
    Yahoo! Inc.: Yahoo Pipes, (Last accessed: May 19, 2009)
  3. 3.
    IBM Corporation: IBM Mashup Center, (Last accessed: May 19, 2009)
  4. 4.
    Hoyer, V., Fischer, M.: Market Overview of Enterprise Mashup Tools. In: Bouguettaya, A., Krueger, I., Margaria, T. (eds.) ICSOC 2008. LNCS, vol. 5364, pp. 708–721. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Lawton, G.: Web 2.0 creates security challenges. Computer 40(10), 13–16 (2007)CrossRefGoogle Scholar
  6. 6.
    Koschmider, A., Torres, V., Pelechano, V.: Elucidating the Mashup Hype: Definitions, Challenges, Methodical Guide and Tools for Mashups. In: Proc. of the Workshop on Mashups, Enterprise Mashups and Lightweight Composition on the Web (MEM 2009), Madrid, Spain (2009), (Last accessed: May 21, 2009)
  7. 7.
    OpenID Foundation (OIDF): OpenID Authentication 2.0 - Final, (Last accessed: May 20, 2009)
  8. 8.
    OAuth Consortium: OAuth Core 1.0, (Last accessed: May 20, 2009)
  9. 9.
    Rosenberg, F., Curbera, F., Duftler, M.J., Khalaf, R.: Composing RESTful Services and Collaborative Workflows: A Lightweight Approach. Internet Computing 12, 24–31 (2008)CrossRefGoogle Scholar
  10. 10.
    Curbera, F., Duftler, M., Khalaf, R., Lovell, D.: Bite: Workflow Composition for the Web. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 94–106. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Lau, C.: BPM 2.0 – a REST based architecture for next generation workflow management. In: Devoxx Conference, Antwerp, Belgium (2008),
  12. 12.
    OASIS: Web Service Business Process Execution Language 2.0 (2006), (Last accessed: May 28, 2009)
  13. 13.
    OAuth Consortium: OAuth Security Advisory 2009.1, (Last accessed: May 20, 2009)
  14. 14.
    Pautasso, C.: BPEL for REST. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 278–293. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Austel, P., Bhola, S., Chari, S., Koved, L., McIntosh, M., Steiner, M., Weber, S.: Secure Delegation for Web 2.0 and Mashups. In: Proc. of the Workshop on Web 2.0 Security and Privacy 2008, W2SP (2008), (Last accessed: May 21, 2009)
  16. 16.
    OASIS: Identity Metasystem Interoperability Version 1.0, (May 14, 2009)
  17. 17.
    Microsoft: Microsoft’s Vision for an Identity Metasystem, (May 2005)
  18. 18.
    SafeMashups Inc.: MashSSL, (Last accessed: May 19, 2009)
  19. 19.
    Jackson, C., Wang, H.J.: Subspace: secure cross-domain communication for web mashups. In: Proc. of the International Conference on World Wide Web (WWW 2007), Banff, Alberta, Canada, pp. 611–620. ACM, New York (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Florian Rosenberg
    • 1
  • Rania Khalaf
    • 2
  • Matthew Duftler
    • 2
  • Francisco Curbera
    • 2
  • Paula Austel
    • 2
  1. 1.Distributed Systems GroupTechnical University ViennaViennaAustria
  2. 2.IBM T.J. Watson Research CenterHawthorne, NY

Personalised recommendations