Abstract
With the growth of microservice-based architectures, API Gateways have proven to be a viable intermediary service for enforcing security policies including authentication, authorization, and access control. Checking if a caller is entitled to invoke an API (API Level Authorization) is available in many API Gateway solutions, however, inspecting if the caller is entitled to specific attributes of the response (Attribute Authorization) is not supported and is an unexplored problem in the literature. This paper formally introduces the Attribute Authorization problem and presents two real-time scalable low latency solutions, that effectively process large responses. The first algorithm leverages a traditional Trie-based approach to enforce attribute authorization and the second utilizes a Tree representation coupled with traditional Depth First Search (DFS) to speed up response transformation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barabanov, A., Makrushin, D.: Authentication and authorization in microservice-based systems: survey of architecture patterns. arXiv preprint arXiv:2009.02114 (2020)
Bray, T.: The javascript object notation (JSON) data interchange format. Technical report (2014)
Christie, M.A., et al.: Managing authentication and authorization in distributed science gateway middleware. Futur. Gener. Comput. Syst. 111, 780–785 (2020)
Clark, J., DeRose, S., et al.: XML path language (XPath) (1999)
Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms. MIT Press, Cambridge (2022)
Davis, D., Parashar, M.P.: Latency performance of soap implementations. In: 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGRID 2002), p. 407. IEEE (2002)
Dhalla, H.K.: A performance analysis of native JSON parsers in Java, Python, MS.NET Core, Javascript, and PHP. In: 2020 16th International Conference on Network and Service Management (CNSM), pp. 1–5. IEEE (2020)
Dias, W.K.A.N., Siriwardena, P.: Microservices Security in Action. Simon and Schuster, New York (2020)
Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. Present and Ulterior Software Engineering, pp. 195–216 (2017)
Erl, T.: Service-oriented architecture. Citeseer (1900)
Fielding, R.: Representational state transfer. Architectural Styles and the Design of Network-Based Software Architecture, pp. 76–85 (2000)
Fredkin, E.: Trie memory. Commun. ACM 3(9), 490–499 (1960)
Friesen, J., Friesen, J.: Extracting JSON values with JSONpath. Java XML and JSON: Document Processing for Java SE, pp. 299–322 (2019)
Gössner, S.: JSONPath-XPath for JSON, p. 48 (2007). http://goessner.net/articles/JsonPath
Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., Orchard, D.: URI template. Technical report (2012)
Knuth, D.E.: The Art of Computer Programming, vol. 3. Pearson Education, London (1997)
Leung, H.: Regular languages and finite automata. AMC 10, 12 (2010)
Li, Y., Katsipoulakis, N.R., Chandramouli, B., Goldstein, J., Kossmann, D.: Mison: a fast JSON parser for data analytics. Proc. VLDB Endow. 10(10), 1118–1129 (2017)
Maeda, K.: Performance evaluation of object serialization libraries in XML, JSON and binary formats. In: 2012 Second International Conference on Digital Information and Communication Technology and it’s Applications (DICTAP), pp. 177–182. IEEE (2012)
Mehlhorn, K., Sanders, P., Sanders, P.: Algorithms and Data Structures: The Basic Toolbox, vol. 55. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-77978-0
Meng, N., Nagy, S., Yao, D., Zhuang, W., Argoty, G.A.: Secure coding practices in java: challenges and vulnerabilities. In: Proceedings of the 40th International Conference on Software Engineering, pp. 372–383 (2018)
Microsoft: Use API gateways in microservices (2022). https://learn.microsoft.com/en-us/azure/architecture/microservices/design/gateway
Murata, M., Laurent, S.S., Kohn, D.: XML media types. Technical report (2001)
Palkar, S., Abuzaid, F., Bailis, P., Zaharia, M.: Filter before you parse: faster analytics on raw data with sparser. Proc. VLDB Endow. 11(11), 1576–1589 (2018)
Peng, D., Cao, L., Xu, W.: Using JSON for data exchanging in web service applications. J. Comput. Inf. Syst. 7(16), 5883–5890 (2011)
Reese, W.: Nginx: the high-performance web server and reverse proxy. Linux J. 2008(173), 2 (2008)
Richardson, C.: Pattern: API gateway/backends for frontends (2018). https://microservices.io/patterns/apigateway.html
Sun, Y., Nanda, S., Jaeger, T.: Security-as-a-service for microservices-based cloud applications. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 50–57. IEEE (2015)
Thompson, H., Lilley, C.: RFC 7303: XML media types (2014)
Yu, D., Jin, Y., Zhang, Y., Zheng, X.: A survey on security issues in services communication of microservices-enabled fog applications. Concurr. Comput. Pract. Exp. 31(22), e4436 (2019)
Zhao, J., Jing, S., Jiang, L.: Management of API gateway based on micro-service architecture. In: Journal of Physics: Conference Series, vol. 1087, p. 032032. IOP Publishing (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sulebele, A., Munnangi, S.K. (2023). Attribute Authorization - A Novel Enhancement to API Gateways. In: Monti, F., Rinderle-Ma, S., Ruiz Cortés, A., Zheng, Z., Mecella, M. (eds) Service-Oriented Computing. ICSOC 2023. Lecture Notes in Computer Science, vol 14420. Springer, Cham. https://doi.org/10.1007/978-3-031-48424-7_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-48424-7_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48423-0
Online ISBN: 978-3-031-48424-7
eBook Packages: Computer ScienceComputer Science (R0)