Abstract
Execution process in modern Web applications is usually represented as a partially ordered sequence of basic actions issued by a client (login, buy, exit, etc.; the login action usually precedes purchasing). Based on these actions, a finite automaton of fine-grained authorization checks, may be specified in a separate layer that is easily configurable for security needs of a particular application. In the Mobile case there may be two such state machines - one performing state-based authorization checks of the application execution process and the other performing such checks for the mobile agent execution process. Authorization checks of these machines may be both state-based and policy based, and the policies should distinguish between human clients and mobile agents cases. We develop the framework to specify and enforce finegrained state-based authorization checks of Web application execution, consisting of a Web browser (client) and a server. We adopt this framework to the mobile case so that state machines representing finegrained authorization checks of application and mobile agent execution are synchronized.