We presented in the research track of the19th International Conference on Web Services (ICWS 2012) the paper entitled “Enabling Message Security for RESTful Services”, by Gabriel Serme, Anderson Santana de Oliveira, Julien Massiera and Yves Roudier. It is a proposal to secure messages exchange in RESTful services. With the growing interest of cloud computing, there has been a shift from SOAP-based services to more lightweight communication, based on REST, as applications and cloud API’s make intensive usage of this architectural style to expose and consume resources on the web. Although its wide adoption, REST suffers from the absence of meta-descriptions, specially concerning security requirements.
We tackle the lack of a security model for RESTful services, as we provide equivalent mechanisms for REST as the message security model defined in WS-Security standard. At the same time that our approach does not reinvent the wheel, we provide higher flexibility in several
scenarios, especially in mobile systems, where relying on the transport layer security is painful, as channels need to be frequently reset. The figure below illustrate the appropriate strategy to secure web service messages, our initiative best fits the cases mentioned in the last row.
We have created a protocol to make message security implementation as lightweight and efficient as possible, and yet respecting the REST principles. We show how message signature and encryption can address communication security for RESTful services at a fine-grained level, being able to provide authentication, confidentiality, and non-repudiation, among others. We can highlight as advantages of our solution the fact that it can be easily integrated to existing services without disruption and its small footprint. Our benchmarks show that the overhead we introduced is far smaller than the equivalent realization using SOAP and WS-Security for the concerned scenarios.