Abstract
Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.
Similar content being viewed by others
References
Erl, T.: SOA Principles of Service Design (The Prentice Hall Service-Oriented Computing Series from Thomas Erl). Prentice Hall PTR, Upper Saddle River (2007)
Leymann, F., Roller, D., Schmidt, M.T.: Web services and business process management. IBM Syst. J. 41(2), 198–211 (2002)
Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., Lafon, Y.: SOAP Version 1.2 Part 1: Messaging Framework (2nd edn.). W3C Recommendation, W3C (2007). http://www.w3.org/TR/soap.12-part1/
Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Services Description Language (WSDL) 1.1. W3C Note, W3C (2000). http://www.w3.org/TR/2001/NOTE-wsdl-20010315
Nadalin, A., Goodner, M., Gudgin, M., Turner, D., Barbir, A., Granqvist, H.: WS-SecurityPolicy 1.3. Standard, OASIS (2012)
Fielding, R.T.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000)
Sun, S.T., Beznosov, K.: the devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: 19th ACM Conference on Computer and Communications Security (CSS) (2012)
Hardt, D.: The OAuth 2.0 Authorization Framework. RFC, IETF (2012). https://tools.ietf.org/html/rfc6749
Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S.: HTML5 - a vocabulary and associated APIs for HTML and XHTML. Recommendation, W3C (2014). http://www.w3.org/TR/html5/
Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0 (5th edn.). Recommendation, W3C (2008). http://www.w3.org/TR/2008/REC-xml-20081126
Bray, T.: The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7189, IETF. https://tools.ietf.org/html/rfc7159
Shelby, Z., Hartke, K., Borman, C.: The Constrained Application Protocol (CoAP). RFC, IETF (2014). https://tools.ietf.org/html/rfc7252
Lo Iacono, L., Nguyen, H.V.: Towards conformance testing of REST-based web services. In: 11th International Conference on Web Information Systems and Technologies (WEBIST) (2015)
Franks, J., Hallam-Baker, P.M., Hostetler, J.L., Lawrence, S.D., Leach, P.J., Luotonen, A., Stewart, L.C.: HTTP Authentication: Basic and Digest Access Authentication. RFC, IETF (1999). https://tools.ietf.org/html/rfc2617
Hammer-Lahav, E.: The OAuth 1.0 Protocol. RFC, IETF (2010). https://tools.ietf.org/html/rfc5849
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. Specification, OpenID Foundation (2014). http://openid.net/specs/openid-connect-core-1_0.html
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC, IETF (2008). http://tools.ietf.org/html/rfc5246
Lo Iacono, L., Nguyen, H.V.: Authentication scheme for REST. In: Doss, R., Piramuthu, S., Zhou, W. (eds.) FNSS 2015. CCIS, vol. 523, pp. 113–128. Springer, Cham (2015). doi:10.1007/978-3-319-19210-9_8
Amazon: Signing AWS Requests By Using Signature Version 4 (2017). https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Google: Migrating from Amazon S3 to Google Cloud Storage (2017). https://cloud.google.com/storage/docs/migrating
Hewlett Packard: HP Helion Public Cloud Object Storage API Specification (2014). https://docs.hpcloud.com/publiccloud/api/object-storage/
Microsoft: Authentication for the Azure Storage Services (2017). http://msdn.microsoft.com/en-us/library/dd179428.aspx
Chinnici, R., Moreau, J.J., Ryman, A., Weerawarana, S.: Web services description language (WSDL) version 2.0 part 1: core language. W3C Recommendation, W3C (2007). http://www.w3.org/TR/2007/REC-wsdl20-20070626
Lewis, A., Haas, H., Orchard, D., Weerawarana, S., Chinnici, R., Moreau, J.J.: Web Services Description Language (WSDL) Version 2.0 Part 2: Adjuncts. W3C Recommendation, W3C (2007). http://www.w3.org/TR/2007/REC-wsdl20-adjuncts-20070626
Verborgh, R., Harth, A., Maleshkova, M., Stadtmüller, S., Steiner, T., Taheriyan, M., Van de Walle, R.: Survey of semantic description of REST APIs. In: Pautasso, C., Wilde, E., Alarcon, R. (eds.) REST: Advanced Research Topics and Practical Applications, pp. 69–89. Springer, New York (2014). doi:10.1007/978-1-4614-9299-3_5
Headley, M.: Web Application Description Language (WADL). W3C Member Submission, W3C (2009). http://www.w3.org/Submission/2009/SUBM-wadl-20090831
Robie, J., Cavicchio, R., Sinnema, R., Wilde, E.: RESTful service description language (RSDL): describing RESTful services without tight coupling. In: Balisage: The Markup Conference 2013, Montréal, Canada, 6–9 August 2013
Robie, J., Sinnema, R., Zhou, W.: RESTful API Description Language (2016). https://github.com/restful-api-description-language
Li, L., Chou, W.: Design and describe REST API without violating REST: a petri net based approach. In: 18th IEEE International Conference on Web Services (ICWS) (2011)
Open API Initiative: OpenAPI Specification (2016). https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md
SmartBear Software: Swagger Specification (2016). http://swagger.io/specification
Ben-Kiki, O., Evans, C., dot Net, I.: YAML Aint Markup Language Version 1.2. Technical report (2009). http://www.yaml.org/spec/1.2/spec.html
RAML: RAML Version 1.0: RESTful API Modeling Language (2016). https://github.com/raml-org/raml-spec/blob/master/versions/raml-10/raml-10.md/
API Blueprint: API Blueprint Specification (2016). https://apiblueprint.org/documentation/specification.html
Apiary Inc.: Markdown Syntax for Object Notation. Technical report (2016). https://github.com/apiaryio/mson
Leonard, S.: Guidance on Markdown: Design Philosophies, Stability Strategies, and Select Registrations. RFC, IETF (2016). https://tools.ietf.org/html/rfc7764
Handl, R., Jeyaraman, R., Pizzo, M., Zurmuehl, M.: OData Version 4.0. Part 1: Protocol Plus Errata 03. OASIS Standard, OASIS (2016). https://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html
Handl, R., Jeyaraman, R., Pizzo, M., Biamonte, M.: OData JSON Format Version 4.0 Plus Errata 03. OASIS Standard, OASIS (2016). https://docs.oasis-open.org/odata/odata-json-format/v4.0/odata-json-format-v4.0.html
Hartel, B., Jeyaraman, R., Zurmuehl, M., Pizzo, M., Handl, R.: OData Atom Format Version 4.0. OASIS Standard, OASIS (2013). https://docs.oasis-open.org/odata/odata-atom-format/v4.0/odata-atom-format-v4.0.html
TIBCA Software Inc.: I/O Docs community edition in Node.js. Technical report (2015). https://github.com/mashery/iodocs
Kopecký, J., Gomadam, K., Vitvar, T.: hRESTS: an HTML microformat for describing RESTful web services. In: IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (WI-IAT) (2008)
Adida, B., Birbeck, M., McCarron, S.: RDFa Core 1.1 - 3rd edn. W3C Recommendation, W3C (2015). http://www.w3.org/TR/2015/REC-rdfa-core-20150317
Maleshkova, M., Pedrinaci, C., Domingue, J., Alvaro, G., Martinez, I.: Using semantics for automating the authentication of web APIs. In: Patel-Schneider, P.F., Pan, Y., Hitzler, P., Mika, P., Zhang, L., Pan, J.Z., Horrocks, I., Glimm, B. (eds.) ISWC 2010. LNCS, vol. 6496, pp. 534–549. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17746-0_34
Alarcon, R., Wilde, E.: Linking data from RESTful services. In: Third Workshop on Linked Data on the Web (2010)
Bellido, J., Alarcon, R., Sepulveda, C.: Web linking-based protocols for guiding RESTful M2M interaction. In: Harth, A., Koch, N. (eds.) ICWE 2011. LNCS, vol. 7059, pp. 74–85. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27997-3_7
Sepulveda, C., Alarcon, R., Bellido, J.: QoS aware descriptions for RESTful service composition: security domain. World Wide Web 18(4), 767–794 (2015)
Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: 2nd ACM Workshop on Digital Identity Management (DIM) (2006)
de Azevedo Muniz, B., Chaves, L.M., Lira, H.A., Dantas, J.R.V., Farias, P.P.M.: Serin an aproach to specify semantic abstract interfaces in the context of RESTful web services. In: IADIS International Conference WWW/Internet (2013)
Lanthaler, M.: Creating 3rd generation web APIs with hydra. In: 22nd International Conference on World Wide Web (WWW) (2013)
Lanthaler, M.: Hydra Core Vocabulary - A Vocabulary for Hypermedia-Driven Web APIs. Unofficial Draft, W3C (2017). http://www.hydra-cg.com/spec/latest/core/
Sporny, M., Longley, D., Kellogg, G., Lanthaler, M., Lindstrm, N.: JSON-LD 1.0 - A JSON-Based Serialization for Linked Data. W3C Recommendation, W3C (2014). https://www.w3.org/TR/json-ld/
Verborgh, R., Steiner, T., Van Deursen, D., Coppens, S., Vallés, J.G., Van de Walle, R.: Functional descriptions as the bridge between hypermedia APIs and the semantic web. In: 3rd International Workshop on RESTful Design (WS-REST) (2012)
Berners-Lee, T., Connolly, D.: Notation3 (N3): a readable RDF syntax. W3C Team Submission, W3C (2011). https://www.w3.org/TeamSubmission/n3/
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012). http://doi.acm.org/10.1145/2382196.2382204
IETF JOSE Working Group: Javascript Object Signing and Encryption (JOSE) (2017). http://datatracker.ietf.org/wg/jose/
Urien, P.: Remote APDU Call Secure (RACS). Internet-Draft, IETF (2016). https://tools.ietf.org/html/draft-urien-core-racs-08
Gorski, P.L., Lo Iacono, L., Nguyen, H.V., Torkian, D.B.: Service security revisited. In: 11th IEEE International Conference on Services Computing (SCC) (2014)
Nguyen, H.V., Lo Iacono, L.: REST-ful CoAP message authentication. In: International Workshop on Secure Internet of Things (SIoT), in conjunction with the European Symposium on Research in Computer Security (ESORICS) (2015)
Nguyen, H.V., Lo Iacono, L.: RESTful IoT authentication protocols. In: u, M.H., Choo, K.R., (eds.) Mobile Security and Privacy - Advances Challenges and Future Research Directions. Advanced Topics in Information Security, 1st edn., pp. 217–234. Elsevier/Syngress (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Nguyen, H.V., Tolsdorf, J., Lo Iacono, L. (2017). On the Security Expressiveness of REST-Based API Definition Languages. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2017. Lecture Notes in Computer Science(), vol 10442. Springer, Cham. https://doi.org/10.1007/978-3-319-64483-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-64483-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64482-0
Online ISBN: 978-3-319-64483-7
eBook Packages: Computer ScienceComputer Science (R0)