Skip to Content

We presented in the research track of the19th International Conference on Web Services (ICWS 2012) the paper entitled “Enabling  Message Security for RESTful Services”, by  Gabriel Serme, Anderson Santana de Oliveira, Julien Massiera and Yves Roudier. It is a proposal to secure messages exchange in RESTful services. With the growing interest of cloud computing, there has been a shift from SOAP-based services to more lightweight communication, based on REST, as applications and cloud API’s make intensive usage of this architectural style to expose and consume resources on the web. Although its wide adoption, REST suffers from the absence of meta-descriptions, specially concerning security requirements.

   
We tackle the lack of a security model for RESTful services, as we provide equivalent mechanisms for REST as the message security model defined in WS-Security standard. At the same time that our approach does not reinvent the wheel, we provide higher flexibility in several
scenarios, especially in mobile systems, where relying on the transport layer security is painful, as channels need to be frequently reset. The figure below illustrate the appropriate strategy to secure web service messages, our initiative best fits the cases mentioned in the last row.

/wp-content/uploads/2012/06/figure_blog_115350.png

We have created a protocol to make message security implementation as lightweight and efficient as possible, and yet respecting the REST principles. We show how message signature and encryption can address communication security for RESTful services at a fine-grained level, being able to provide  authentication, confidentiality, and non-repudiation, among others. We can highlight as  advantages of our solution the fact that it can be easily integrated to existing services without disruption and its small footprint. Our benchmarks show that the overhead we  introduced is far smaller than the equivalent  realization using SOAP and WS-Security for the concerned scenarios.

This work is supported by the French Research Agency (ANR), in the context of the CESSA project. For more information, please contact Gabriel Serme or Anderson Santana de Oliveira.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply