Skip to main content
SpringerLink
Log in
Book cover

International Conference on Trust and Privacy in Digital Business

TrustBus 2017: Trust, Privacy and Security in Digital Business pp 215–231Cite as

On the Security Expressiveness of REST-Based API Definition Languages

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10442))

Abstract

Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.

This is a preview of subscription content, log in via an institution.

References

  1. Erl, T.: SOA Principles of Service Design (The Prentice Hall Service-Oriented Computing Series from Thomas Erl). Prentice Hall PTR, Upper Saddle River (2007)

    Google Scholar 

  2. Leymann, F., Roller, D., Schmidt, M.T.: Web services and business process management. IBM Syst. J. 41(2), 198–211 (2002)

    Article  Google Scholar 

  3. Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., Lafon, Y.: SOAP Version 1.2 Part 1: Messaging Framework (2nd edn.). W3C Recommendation, W3C (2007). http://www.w3.org/TR/soap.12-part1/

  4. Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Services Description Language (WSDL) 1.1. W3C Note, W3C (2000). http://www.w3.org/TR/2001/NOTE-wsdl-20010315

  5. Nadalin, A., Goodner, M., Gudgin, M., Turner, D., Barbir, A., Granqvist, H.: WS-SecurityPolicy 1.3. Standard, OASIS (2012)

    Google Scholar 

  6. Fielding, R.T.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000)

    Google Scholar 

  7. Sun, S.T., Beznosov, K.: the devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: 19th ACM Conference on Computer and Communications Security (CSS) (2012)

    Google Scholar 

  8. Hardt, D.: The OAuth 2.0 Authorization Framework. RFC, IETF (2012). https://tools.ietf.org/html/rfc6749

  9. Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S.: HTML5 - a vocabulary and associated APIs for HTML and XHTML. Recommendation, W3C (2014). http://www.w3.org/TR/html5/

  10. Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0 (5th edn.). Recommendation, W3C (2008). http://www.w3.org/TR/2008/REC-xml-20081126

  11. Bray, T.: The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7189, IETF. https://tools.ietf.org/html/rfc7159

  12. Shelby, Z., Hartke, K., Borman, C.: The Constrained Application Protocol (CoAP). RFC, IETF (2014). https://tools.ietf.org/html/rfc7252

  13. Lo Iacono, L., Nguyen, H.V.: Towards conformance testing of REST-based web services. In: 11th International Conference on Web Information Systems and Technologies (WEBIST) (2015)

    Google Scholar 

  14. Franks, J., Hallam-Baker, P.M., Hostetler, J.L., Lawrence, S.D., Leach, P.J., Luotonen, A., Stewart, L.C.: HTTP Authentication: Basic and Digest Access Authentication. RFC, IETF (1999). https://tools.ietf.org/html/rfc2617

  15. Hammer-Lahav, E.: The OAuth 1.0 Protocol. RFC, IETF (2010). https://tools.ietf.org/html/rfc5849

  16. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. Specification, OpenID Foundation (2014). http://openid.net/specs/openid-connect-core-1_0.html

  17. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC, IETF (2008). http://tools.ietf.org/html/rfc5246

  18. Lo Iacono, L., Nguyen, H.V.: Authentication scheme for REST. In: Doss, R., Piramuthu, S., Zhou, W. (eds.) FNSS 2015. CCIS, vol. 523, pp. 113–128. Springer, Cham (2015). doi:10.1007/978-3-319-19210-9_8

    Chapter  Google Scholar 

  19. Amazon: Signing AWS Requests By Using Signature Version 4 (2017). https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

  20. Google: Migrating from Amazon S3 to Google Cloud Storage (2017). https://cloud.google.com/storage/docs/migrating

  21. Hewlett Packard: HP Helion Public Cloud Object Storage API Specification (2014). https://docs.hpcloud.com/publiccloud/api/object-storage/

  22. Microsoft: Authentication for the Azure Storage Services (2017). http://msdn.microsoft.com/en-us/library/dd179428.aspx

  23. Chinnici, R., Moreau, J.J., Ryman, A., Weerawarana, S.: Web services description language (WSDL) version 2.0 part 1: core language. W3C Recommendation, W3C (2007). http://www.w3.org/TR/2007/REC-wsdl20-20070626

  24. Lewis, A., Haas, H., Orchard, D., Weerawarana, S., Chinnici, R., Moreau, J.J.: Web Services Description Language (WSDL) Version 2.0 Part 2: Adjuncts. W3C Recommendation, W3C (2007). http://www.w3.org/TR/2007/REC-wsdl20-adjuncts-20070626

  25. Verborgh, R., Harth, A., Maleshkova, M., Stadtmüller, S., Steiner, T., Taheriyan, M., Van de Walle, R.: Survey of semantic description of REST APIs. In: Pautasso, C., Wilde, E., Alarcon, R. (eds.) REST: Advanced Research Topics and Practical Applications, pp. 69–89. Springer, New York (2014). doi:10.1007/978-1-4614-9299-3_5

    Chapter  Google Scholar 

  26. Headley, M.: Web Application Description Language (WADL). W3C Member Submission, W3C (2009). http://www.w3.org/Submission/2009/SUBM-wadl-20090831

  27. Robie, J., Cavicchio, R., Sinnema, R., Wilde, E.: RESTful service description language (RSDL): describing RESTful services without tight coupling. In: Balisage: The Markup Conference 2013, Montréal, Canada, 6–9 August 2013

    Google Scholar 

  28. Robie, J., Sinnema, R., Zhou, W.: RESTful API Description Language (2016). https://github.com/restful-api-description-language

  29. Li, L., Chou, W.: Design and describe REST API without violating REST: a petri net based approach. In: 18th IEEE International Conference on Web Services (ICWS) (2011)

    Google Scholar 

  30. Open API Initiative: OpenAPI Specification (2016). https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md

  31. SmartBear Software: Swagger Specification (2016). http://swagger.io/specification

  32. Ben-Kiki, O., Evans, C., dot Net, I.: YAML Aint Markup Language Version 1.2. Technical report (2009). http://www.yaml.org/spec/1.2/spec.html

  33. RAML: RAML Version 1.0: RESTful API Modeling Language (2016). https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/

  34. API Blueprint: API Blueprint Specification (2016). https://apiblueprint.org/documentation/specification.html

  35. Apiary Inc.: Markdown Syntax for Object Notation. Technical report (2016). https://github.com/apiaryio/mson

  36. Leonard, S.: Guidance on Markdown: Design Philosophies, Stability Strategies, and Select Registrations. RFC, IETF (2016). https://tools.ietf.org/html/rfc7764

  37. Handl, R., Jeyaraman, R., Pizzo, M., Zurmuehl, M.: OData Version 4.0. Part 1: Protocol Plus Errata 03. OASIS Standard, OASIS (2016). https://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html

  38. Handl, R., Jeyaraman, R., Pizzo, M., Biamonte, M.: OData JSON Format Version 4.0 Plus Errata 03. OASIS Standard, OASIS (2016). https://docs.oasis-open.org/odata/odata-json-format/v4.0/odata-json-format-v4.0.html

  39. Hartel, B., Jeyaraman, R., Zurmuehl, M., Pizzo, M., Handl, R.: OData Atom Format Version 4.0. OASIS Standard, OASIS (2013). https://docs.oasis-open.org/odata/odata-atom-format/v4.0/odata-atom-format-v4.0.html

  40. TIBCA Software Inc.: I/O Docs community edition in Node.js. Technical report (2015). https://github.com/mashery/iodocs

  41. Kopecký, J., Gomadam, K., Vitvar, T.: hRESTS: an HTML microformat for describing RESTful web services. In: IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (WI-IAT) (2008)

    Google Scholar 

  42. Adida, B., Birbeck, M., McCarron, S.: RDFa Core 1.1 - 3rd edn. W3C Recommendation, W3C (2015). http://www.w3.org/TR/2015/REC-rdfa-core-20150317

  43. Maleshkova, M., Pedrinaci, C., Domingue, J., Alvaro, G., Martinez, I.: Using semantics for automating the authentication of web APIs. In: Patel-Schneider, P.F., Pan, Y., Hitzler, P., Mika, P., Zhang, L., Pan, J.Z., Horrocks, I., Glimm, B. (eds.) ISWC 2010. LNCS, vol. 6496, pp. 534–549. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17746-0_34

    Chapter  Google Scholar 

  44. Alarcon, R., Wilde, E.: Linking data from RESTful services. In: Third Workshop on Linked Data on the Web (2010)

    Google Scholar 

  45. Bellido, J., Alarcon, R., Sepulveda, C.: Web linking-based protocols for guiding RESTful M2M interaction. In: Harth, A., Koch, N. (eds.) ICWE 2011. LNCS, vol. 7059, pp. 74–85. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27997-3_7

    Chapter  Google Scholar 

  46. Sepulveda, C., Alarcon, R., Bellido, J.: QoS aware descriptions for RESTful service composition: security domain. World Wide Web 18(4), 767–794 (2015)

    Article  Google Scholar 

  47. Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: 2nd ACM Workshop on Digital Identity Management (DIM) (2006)

    Google Scholar 

  48. de Azevedo Muniz, B., Chaves, L.M., Lira, H.A., Dantas, J.R.V., Farias, P.P.M.: Serin an aproach to specify semantic abstract interfaces in the context of RESTful web services. In: IADIS International Conference WWW/Internet (2013)

    Google Scholar 

  49. Lanthaler, M.: Creating 3rd generation web APIs with hydra. In: 22nd International Conference on World Wide Web (WWW) (2013)

    Google Scholar 

  50. Lanthaler, M.: Hydra Core Vocabulary - A Vocabulary for Hypermedia-Driven Web APIs. Unofficial Draft, W3C (2017). http://www.hydra-cg.com/spec/latest/core/

  51. Sporny, M., Longley, D., Kellogg, G., Lanthaler, M., Lindstrm, N.: JSON-LD 1.0 - A JSON-Based Serialization for Linked Data. W3C Recommendation, W3C (2014). https://www.w3.org/TR/json-ld/

  52. Verborgh, R., Steiner, T., Van Deursen, D., Coppens, S., Vallés, J.G., Van de Walle, R.: Functional descriptions as the bridge between hypermedia APIs and the semantic web. In: 3rd International Workshop on RESTful Design (WS-REST) (2012)

    Google Scholar 

  53. Berners-Lee, T., Connolly, D.: Notation3 (N3): a readable RDF syntax. W3C Team Submission, W3C (2011). https://www.w3.org/TeamSubmission/n3/

  54. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012)

    Google Scholar 

  55. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012). http://doi.acm.org/10.1145/2382196.2382204

  56. IETF JOSE Working Group: Javascript Object Signing and Encryption (JOSE) (2017). http://datatracker.ietf.org/wg/jose/

  57. Urien, P.: Remote APDU Call Secure (RACS). Internet-Draft, IETF (2016). https://tools.ietf.org/html/draft-urien-core-racs-08

  58. Gorski, P.L., Lo Iacono, L., Nguyen, H.V., Torkian, D.B.: Service security revisited. In: 11th IEEE International Conference on Services Computing (SCC) (2014)

    Google Scholar 

  59. Nguyen, H.V., Lo Iacono, L.: REST-ful CoAP message authentication. In: International Workshop on Secure Internet of Things (SIoT), in conjunction with the European Symposium on Research in Computer Security (ESORICS) (2015)

    Google Scholar 

  60. Nguyen, H.V., Lo Iacono, L.: RESTful IoT authentication protocols. In: u, M.H., Choo, K.R., (eds.) Mobile Security and Privacy - Advances Challenges and Future Research Directions. Advanced Topics in Information Security, 1st edn., pp. 217–234. Elsevier/Syngress (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cologne University of Applied Sciences, Cologne, Germany

    Hoai Viet Nguyen, Jan Tolsdorf & Luigi Lo Iacono

Authors
  1. Hoai Viet Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Tolsdorf
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luigi Lo Iacono
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hoai Viet Nguyen .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Javier Lopez

  2. Karlstad University, Karlstad, Sweden

    Simone Fischer-Hübner

  3. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Nguyen, H.V., Tolsdorf, J., Lo Iacono, L. (2017). On the Security Expressiveness of REST-Based API Definition Languages. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2017. Lecture Notes in Computer Science(), vol 10442. Springer, Cham. https://doi.org/10.1007/978-3-319-64483-7_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64483-7_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64482-0

  • Online ISBN: 978-3-319-64483-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation