Simplified Authentication and Authorization for RESTful Services in Trusted Environments

Brachmann, Eric; Dittmann, Gero; Schubert, Klaus-Dieter

doi:10.1007/978-3-642-33427-6_21

Simplified Authentication and Authorization for RESTful Services in Trusted Environments

Eric Brachmann¹⁹,
Gero Dittmann²⁰ &
Klaus-Dieter Schubert²⁰

Conference paper

1204 Accesses
7 Citations

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7592))

Abstract

In some trusted environments, such as an organization’s intranet, local web services may be assumed to be trustworthy. This property can be exploited to simplify authentication and authorization protocols between resource providers and consumers, lowering the threshold for developing services and clients. Existing security solutions for RESTful services, in contrast, support untrusted services, a complexity-increasing capability that is not needed on an intranet with only trusted services.

We propose a central security service with a lean API that handles both authentication and authorization for trusted RESTful services. A user trades credentials for a token that facilitates access to services. The services may query the security service for token authenticity and roles granted to a user. The system provides fine-grained access control at the level of resources, following the role-based access control (RBAC) model. Resources are identified by their URLs, making the authorization system generic. The mapping of roles to users resides with the central security service and depends on the resource to be accessed. The mapping of permissions to roles is implemented individually by the services. We rely on secure channels and the trusted intermediaries characteristic for intranets to simplify the protocols involved and to make the security features easy to use, cutting the number of required API calls in half.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 49.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

MIT: Kerberos: The network authentication protocol, http://web.mit.edu/kerberos/
Schemers, R., Allbery, R.: WebAuth technical specification, http://webauth.stanford.edu/protocol.html
Mazurek, D.: CAS protocol (May 2005), http://www.jasig.org/cas/protocol
Samar, V.: Single sign-on using cookies for web applications. In: Proceedings of the 8th Intl. Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 1999), Stanford, CA, USA, pp. 158–163. IEEE (1999)
Google Scholar
OASIS: SAML specifications, http://saml.xml.org/saml-specifications
OASIS: OASIS eXtensible Access Control Markup Language (XACML) TC, http://www.oasis-open.org/committees/xacml/
Mirza, Q.K.A.: Restful implementation of authorization mechanisms. In: Proceedings of the International Conference on Technology and Business Management (ICTBM 2011), Dubai, UAE, pp. 1001–1010. INFOMS (March 2011)
Google Scholar
Gutzmann, K.: Access control and session management in the HTTP environment. IEEE Internet Computing 5, 26–35 (2001)
Article Google Scholar
Graf, S., Zholudev, V., Lewandowski, L., Waldvogel, M.: Hecate, managing authorization with RESTful XML. In: Proceedings of the 2nd International Workshop on RESTful Design (WS-REST 2011), Hyderabad, India, pp. 51–58. ACM (March 2011)
Google Scholar
Recordon, D., Reed, D.: OpenID 2.0: A platform for user-centric identity management. In: Proceedings of the 2nd Workshop on Digital Identity Management (DIM 2006), Fairfax, Virginia, USA, pp. 11–16. ACM (November 2006)
Google Scholar
Hammer-Lahav, E.: The OAuth 1.0 protocol. RFC 5849, IETF (April 2010)
Google Scholar
Jazz Community: Jazz, https://jazz.net/
ANSI: American national standard for information technology – Role based access control. ANSI INCITS 359-2004, ANSI (February 2004)
Google Scholar
Zukowski, M.: RubyCAS-Server, http://code.google.com/p/rubycas-server/

Download references

Author information

Authors and Affiliations

Dresden University of Technology, 01062, Dresden, Germany
Eric Brachmann
IBM Systems & Technology Group, 71032, Boeblingen, Germany
Gero Dittmann & Klaus-Dieter Schubert

Authors

Eric Brachmann
View author publications
You can also search for this author in PubMed Google Scholar
Gero Dittmann
View author publications
You can also search for this author in PubMed Google Scholar
Klaus-Dieter Schubert
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Informatics, Systems and Communication, University of Milano - Bicocca, Viale Sarca 336/14, 20126, Milano, Italy
Flavio De Paoli
Dept. Computer Science, University of Málaga, Málaga, Spain
Ernesto Pimentel
INRIA - FOCUS Research Team, University of Bologna, Italy
Gianluigi Zavattaro

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Brachmann, E., Dittmann, G., Schubert, KD. (2012). Simplified Authentication and Authorization for RESTful Services in Trusted Environments. In: De Paoli, F., Pimentel, E., Zavattaro, G. (eds) Service-Oriented and Cloud Computing. ESOCC 2012. Lecture Notes in Computer Science, vol 7592. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33427-6_21

Download citation

DOI: https://doi.org/10.1007/978-3-642-33427-6_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33426-9
Online ISBN: 978-3-642-33427-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics