{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,7]],"date-time":"2025-11-07T13:30:51Z","timestamp":1762522251212,"version":"build-2065373602"},"reference-count":74,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2019,2,27]],"date-time":"2019-02-27T00:00:00Z","timestamp":1551225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"German Federal Ministry of Education and Research","award":["13FH016IX6"],"award-info":[{"award-number":["13FH016IX6"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Contemporary software is inherently distributed. The principles guiding the design of such software have been mainly manifested by the service-oriented architecture (SOA) concept. In a SOA, applications are orchestrated by software services generally operated by distinct entities. Due to the latter fact, service security has been of importance in such systems ever since. A dominant protocol for implementing SOA-based systems is SOAP, which comes with a well-elaborated security framework. As an alternative to SOAP, the architectural style representational state transfer (REST) is gaining traction as a simple, lightweight and flexible guideline for designing distributed service systems that scale at large. This paper starts by introducing the basic constraints representing REST. Based on these foundations, the focus is afterwards drawn on the security needs of REST-based service systems. The limitations of transport-oriented protection means are emphasized and the demand for specific message-oriented safeguards is assessed. The paper then reviews the current activities in respect to REST-security and finds that the available schemes are mostly HTTP-centered and very heterogeneous. More importantly, all of the analyzed schemes contain vulnerabilities. The paper contributes a methodology on how to establish REST-security as a general security framework for protecting REST-based service systems of any kind by consistent and comprehensive protection means. First adoptions of the introduced approach are presented in relation to REST message authentication with instantiations for REST-ful HTTP (web\/cloud services) and REST-ful constraint application protocol (CoAP) (internet of things (IoT) services).<\/jats:p>","DOI":"10.3390\/fi11030056","type":"journal-article","created":{"date-parts":[[2019,2,27]],"date-time":"2019-02-27T11:41:03Z","timestamp":1551267663000},"page":"56","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["On the Need for a General REST-Security Framework"],"prefix":"10.3390","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7863-0622","authenticated-orcid":false,"given":"Luigi","family":"Lo Iacono","sequence":"first","affiliation":[{"name":"Data and Application Security Group, Cologne University of Applied Sciences, 50679 Cologne, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6540-5389","authenticated-orcid":false,"given":"Hoai Viet","family":"Nguyen","sequence":"additional","affiliation":[{"name":"Data and Application Security Group, Cologne University of Applied Sciences, 50679 Cologne, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0391-4054","authenticated-orcid":false,"given":"Peter Leo","family":"Gorski","sequence":"additional","affiliation":[{"name":"Data and Application Security Group, Cologne University of Applied Sciences, 50679 Cologne, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,2,27]]},"reference":[{"key":"ref_1","unstructured":"Fielding, R. (2000). Architectural Styles and the Design of Network-Based Software Architectures. [Ph.D. Thesis, University of California]."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. (1999). Hypertext Transfer Protocol\u2014HTTP\/1.1, IETF. RFC 2616.","DOI":"10.17487\/rfc2616"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Dierks, T., and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2, IETF. RFC 5246.","DOI":"10.17487\/rfc5246"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Carpenter, B., and Brim, S. (2002). Middleboxes: Taxonomy and Issues, IETF. RFC 3234.","DOI":"10.17487\/rfc3234"},{"key":"ref_5","unstructured":"Durumeric, Z., Ma, Z., Springall, D., Barnes, R., Sullivan, N., Bursztein, E., Bailey, M., Halderman, J.A., and Paxson, V. (March, January 26). The Security Impact of HTTPS Interception. Proceedings of the 24th Network and Distributed Systems Symposium (NDSS), San Diego, CA, USA."},{"key":"ref_6","unstructured":"Feiler, P., Sullivan, K., Wallnau, K., Gabriel, R., Goodenough, J., Linger, R., Longstaff, T., Kazman, R., Klein, M., and Northrop, L. (2006). Ultra-Large-Scale Systems: The Software Challenge of the Future, Software Engineering Institute, Carnegie Mellon University."},{"key":"ref_7","unstructured":"Nadalin, A., Kaler, C., Monzillo, R., and Phillip, H.B. (2006). Web Services Security: SOAP Message Security 1.1, OASIS Standard."},{"key":"ref_8","unstructured":"Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., and Lafon, Y. (2007). SOAP Version 1.2 Part 1: Messaging Framework, W3C. [2nd ed.]. Recommendation."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Shelby, Z., Hartke, K., and Bormann, C. (2014). The Constrained Application Protocol (CoAP), IETF. RFC 7252.","DOI":"10.17487\/rfc7252"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Rescorla, E., and Modadugu, N. (2012). Datagram Transport Layer Security Version 1.2, IETF. RFC 6347.","DOI":"10.17487\/rfc6347"},{"key":"ref_11","unstructured":"Urien, P. (2018). Remote APDU Call Secure (RACS), IETF. Internet-Draft."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Berners-Lee, T., Fielding, R., and Masinter, L. (2005). Uniform Resource Identifier (URI): Generic Syntax, IETF. Request for Comments 3986.","DOI":"10.17487\/rfc3986"},{"key":"ref_13","unstructured":"Gorski, P.L., Lo Iacono, L., Nguyen, H.V., and Torkian, D.B. (July, January 27). Service Security Revisited. Proceedings of the 11th IEEE International Conference on Services Computing (SCC), Anchorage, AK, USA."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Lo Iacono, L., and Nguyen, H.V. (2015, January 20\u201322). Towards Conformance Testing of REST-based Web Services. Proceedings of the 11th International Conference on Web Information Systems and Technologies (WEBIST), Lisbon, Portugal.","DOI":"10.5220\/0005412202170227"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1645","DOI":"10.1002\/dac.2941","article-title":"Service-oriented 5G network architecture: An end-to-end software defining approach","volume":"29","author":"Mao","year":"2016","journal-title":"Int. J. Commun. Syst."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"2787","DOI":"10.1016\/j.comnet.2010.05.010","article-title":"The Internet of Things: A survey","volume":"54","author":"Atzori","year":"2010","journal-title":"Comput. Netw."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"62","DOI":"10.1109\/MIC.2012.29","article-title":"CoAP: An Application Protocol for Billions of Tiny Internet Nodes","volume":"16","author":"Bormann","year":"2012","journal-title":"IEEE Internet Comput."},{"key":"ref_18","unstructured":"Kanneganti, R., and Chodavarapu, P. (2008). Soa Security, Manning Publications Co."},{"key":"ref_19","unstructured":"Gorski, P.L., Lo Iacono, L., Nguyen, H.V., and Torkian, D.B. (2014, January 12\u201314). SOA-Readiness of REST. Proceedings of the 3rd European Conference on Service-Oriented and Cloud Computing (ESOCC), Como, Italy."},{"key":"ref_20","unstructured":"Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., and Yergeau, F. (2008). Extensible Markup Language (XML) 1.0, W3C. [5th ed.]. Recommendation."},{"key":"ref_21","unstructured":"Imamura, T., Dillaway, B., Simon, E., Kelvin, Y., and Nystr\u00f6m, M. (2013). XML Encryption Syntax and Processing Version 1.1, W3C. Recommendation."},{"key":"ref_22","unstructured":"Bartel, M., Boyer, J., Fox, B., LaMacchia, B., and Simon, E. (2008). XML Signature Syntax and Processing, W3C. [2nd ed.]. Recommendation."},{"key":"ref_23","unstructured":"Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., and Granqvist, H. (2007). WS-Trust 1.3, OASIS Standard."},{"key":"ref_24","unstructured":"Goodner, M., and Nadalin, A. (2009). Web Services Federation Language (WS-Federation) Version 1.2, OASIS Standard."},{"key":"ref_25","unstructured":"Nadalin, A., Goodner, M., Gudgin, M., Turner, D., Barbir, A., and Granqvist, H. (2012). WS-SecurityPolicy 1.3, OASIS Standard."},{"key":"ref_26","unstructured":"Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., and Granqvist, H. (2009). WS-SecureConversation 1.4, OASIS Standard."},{"key":"ref_27","unstructured":"Rosenberg, J., and Remy, D. (2004). Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption, Pearson Higher Education."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Lo Iacono, L., and Nguyen, H.V. (2015, January 11\u201313). Authentication Scheme for REST. Proceedings of the International Conference on Future Network Systems and Security (FNSS), Paris, France.","DOI":"10.1007\/978-3-319-19210-9_8"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Hardt, D. (2012). The OAuth 2.0 Authorization Framework, IETF. RFC 6749.","DOI":"10.17487\/rfc6749"},{"key":"ref_30","unstructured":"Hedberg, R., Solberg, A., Gulliksson, S., Jones, M., and Bradley, J. (2019). OpenID Connect Federation 1.0\u2014Draft 07, OpenID. Draft."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Nguyen, H.V., and Lo Iacono, L. (2015, January 21\u201325). REST-ful CoAP Message Authentication. Proceedings of the International Workshop on Secure Internet of Things (SIoT), in Conjunction with the European Symposium on Research in Computer Security (ESORICS), Vienna, Austria.","DOI":"10.1109\/SIOT.2015.8"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1016\/j.jnca.2015.11.017","article-title":"Web application protection techniques: A taxonomy","volume":"60","author":"Prokhorenko","year":"2016","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Reschke, J. (2015). The \u2018Basic\u2019 HTTP Authentication Scheme, IETF. RFC 7617.","DOI":"10.17487\/RFC7617"},{"key":"ref_34","unstructured":"Shekh-Yusef, R., Ahrens, D., and Bremer, S. (2015). HTTP Digest Access Authentication, IETF. RFC 7616."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Nguyen, H.V., Tolsdorf, J., and Lo Iacono, L. (2017, January 30\u201331). On the Security Expressiveness of REST-based API Definition Languages. Proceedings of the 14th International Conference On Trust, Privacy and Security In Digital Business (TrustBus), Lyon, France.","DOI":"10.1007\/978-3-319-64483-7_14"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Farrell, S., Hoffman, P., and Thomas, M. (2015). HTTP Origin-Bound Authentication (HOBA), IETF. Experimental RFC 7486.","DOI":"10.17487\/rfc7486"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Melnikov, A. (2016). Salted Challenge Response HTTP Authentication Mechanism, IETF. Experimental RFC 7804.","DOI":"10.17487\/RFC7804"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Oiwa, Y., Takagi, H., Maeda, K., Hayashi, T., and Ioku, Y. (2017). Mutual Authentication Protocol for HTTP, IETF. Experimental RFC 8120.","DOI":"10.17487\/RFC8120"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Oiwa, Y., Takagi, H., Maeda, K., Hayashi, T., and Ioku, Y. (2017). Mutual Authentication Protocol for HTTP: Cryptographic Algorithms Based on the Key Agreement Mechanism 3 (KAM3), IETF. Experimental RFC 8121.","DOI":"10.17487\/RFC8121"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"De Backere, F., Hanssens, B., Heynssens, R., Houthooft, R., Zuliani, A., Verstichel, S., Dhoedt, B., and De Turck, F. (2014, January 5\u20138). Design of a security mechanism for RESTful Web Service communication through mobile clients. Proceedings of the IEEE Network Operations and Management Symposium (NOMS), Krakow, Poland.","DOI":"10.1109\/NOMS.2014.6838308"},{"key":"ref_41","unstructured":"Peng, D., Li, C., and Huo, H. (2009, January 7\u20139). An extended UsernameToken-based approach for REST-style Web Service Security Authentication. Proceedings of the 2nd IEEE International Conference on Computer Science and Information Technology, Windsor, ON, Canada."},{"key":"ref_42","unstructured":"Brickely, D., and Miller, L. (2014). FOAF Vocabulary Specification 0.99, Namespace. Technical Report."},{"key":"ref_43","unstructured":"Story, H., Harbulot, B., Jacobi, I., and Jones, M. (June, January 31). FOAF+SSL: RESTful Authentication for the Social Web. Proceedings of the 6th European Semantic Web Conference, Heraklion, Crete, Greece."},{"key":"ref_44","unstructured":"Story, H., and Hausenblas, M. (2013). WebID Specifications, W3C. W3C Editor\u2019s Draft."},{"key":"ref_45","first-page":"77","article-title":"Weaving a Web of Trust","volume":"2","author":"Khare","year":"1997","journal-title":"World Wide Web J."},{"key":"ref_46","unstructured":"Google (2017). Migrating from Amazon S3 to Google Cloud Storage, Google Inc."},{"key":"ref_47","unstructured":"Hewlett Packard (2014). HP Helion Public Cloud Object Storage API Specification, Hewlett Packard."},{"key":"ref_48","unstructured":"Microsoft (2017). Authentication for the Azure Storage Services, Microsoft Research."},{"key":"ref_49","unstructured":"Amazon (2017). Signing AWS Requests By Using Signature Version 4, Amazon Web Service."},{"key":"ref_50","unstructured":"Cavage, M., and Sporny, M. (2014). Signing HTTP Messages, IETF. Internet-Draft."},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Hammer-Lahav, E. (2010). The OAuth 1.0 Protocol, IETF. RFC 5849.","DOI":"10.17487\/rfc5849"},{"key":"ref_52","unstructured":"Richer, J., Mills, W., and Tschofenig, H. (2014). OAuth 2.0 Message Authentication Code (MAC) Tokens, IETF. Internet-Draft."},{"key":"ref_53","unstructured":"Richer, J., Bradley, J., and Tschofenig, H. (2014). A Method for Signing an HTTP Requests for OAuth, IETF. Internet-Draft."},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Jones, M., Bradley, J., and Sakimura, N. (2015). JSON Web Signature (JWS), IETF. RFC 7515.","DOI":"10.17487\/RFC7515"},{"key":"ref_55","doi-asserted-by":"crossref","unstructured":"Crockford, D. (2006). The Application\/Json Media Type for JavaScript Object Notation (JSON), IETF. RFC 4627.","DOI":"10.17487\/rfc4627"},{"key":"ref_56","doi-asserted-by":"crossref","unstructured":"Serme, G., De Oliveira, A.S., Massiera, J., and Roudier, Y. (2012, January 24\u201329). Enabling message security for RESTful services. Proceedings of the 19th IEEE International Conference on Web Services (ICWS), Honolulu, HI, USA.","DOI":"10.1109\/ICWS.2012.94"},{"key":"ref_57","unstructured":"Lee, S., Jo, J.Y., and Kim, Y. (July, January 28). A Method for Secure RESTful Web Service. Proceedings of the IEEE\/ACIS 14th International Conference on Computer and Information Science (ICIS), Las Vegas, NV, USA."},{"key":"ref_58","first-page":"21","article-title":"Authentication system for stateless RESTful Web service","volume":"17","author":"Lee","year":"2017","journal-title":"J. Comput. Methods Sci. Eng."},{"key":"ref_59","doi-asserted-by":"crossref","unstructured":"Selander, G., Mattson, J., Palombini, F., and Seitz, L. (2018). Object Security for Constrained RESTful Environments (OSCORE), IETF. Internet-Draft.","DOI":"10.17487\/RFC8613"},{"key":"ref_60","doi-asserted-by":"crossref","unstructured":"Granjal, J., Monteiro, E., and Silva, J.S. (2013, January 5\u20137). Application-Layer Security for the WoT: Extending CoAP to Support End-to-End Message Security for Internet-Integrated Sensing Applications. Proceedings of the 11th International Conference on Wired and Wireless Internet Communications, St. Petersburg, Russia.","DOI":"10.1007\/978-3-642-38401-1_11"},{"key":"ref_61","doi-asserted-by":"crossref","unstructured":"Graf, S., Zholudev, V., Lewandowski, L., and Waldvogel, M. (2011, January 28). Hecate, Managing Authorization with RESTful XML. Proceedings of the 2nd International Workshop on RESTful Design (WS-REST), Hyderabad, India.","DOI":"10.1145\/1967428.1967442"},{"key":"ref_62","doi-asserted-by":"crossref","unstructured":"Bormann, C., and Hoffman, P. (2013). Concise Binary Object Representation (CBOR), IETF. RFC 7049.","DOI":"10.17487\/rfc7049"},{"key":"ref_63","doi-asserted-by":"crossref","unstructured":"Jones, M., Rescorla, E., and Hildebrand, J. (2014). JSON Web Encryption (JWE), IETF. Internet-draft.","DOI":"10.17487\/RFC7516"},{"key":"ref_64","unstructured":"Bormann, C. (2014). Constrained Object Signing and Encryption (COSE), IETF. Internet-draft."},{"key":"ref_65","unstructured":"Schaad, J. (2015). CBOR Encoded Message Syntax, IETF. Internet-draft."},{"key":"ref_66","unstructured":"Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., and Pfeiffer, S. (2018, December 19). HTML5\u2014A Vocabulary and Associated APIs for HTML and XHTML. Available online: http:\/\/www.w3.org\/TR\/html5\/."},{"key":"ref_67","unstructured":"Ben-Kiki, O., Evans, C., and dot Net, I. (2018, December 19). YAML Ain\u2019t Markup Language Version 1.2. Technical Report. Available online: http:\/\/www.yaml.org\/spec\/1.2\/spec.html."},{"key":"ref_68","doi-asserted-by":"crossref","unstructured":"Shafranovich, T. (2005). Common Format and MIME Type for Comma-Separated Values (CSV) Files, IETF. RFC 4180.","DOI":"10.17487\/rfc4180"},{"key":"ref_69","doi-asserted-by":"crossref","unstructured":"Josefsson, S. (2006). The Base16, Base32, and Base64 Data Encodings, IETF. RFC 4648.","DOI":"10.17487\/rfc4648"},{"key":"ref_70","unstructured":"Au, M.H., and Choo, K.K.R. (2016). RESTful IoT Authentication Protocols. Mobile Security and Privacy\u2014Advances, Challenges and Future Research Directions, Elsevier\/Syngress. [1st ed.]. Advanced Topics in Information Security."},{"key":"ref_71","unstructured":"Li, K., and Sun, R. (2014). CoAP Payload-Length Option Extension, IETF. Internet-Draft."},{"key":"ref_72","unstructured":"Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and Mortimore, C. (2014). OpenID Connect Core 1.0, OpenID Foundation. Specification."},{"key":"ref_73","doi-asserted-by":"crossref","unstructured":"Yang, F., and Manoharan, S. (2013, January 27\u201329). A security analysis of the OAuth protocol. Proceedings of the IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM), Victoria, BC, Canada.","DOI":"10.1109\/PACRIM.2013.6625487"},{"key":"ref_74","doi-asserted-by":"crossref","unstructured":"Sun, S.T., and Beznosov, K. (2012, January 16\u201318). The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, USA.","DOI":"10.1145\/2382196.2382238"}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/3\/56\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:35:07Z","timestamp":1760186107000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/3\/56"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,2,27]]},"references-count":74,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2019,3]]}},"alternative-id":["fi11030056"],"URL":"https:\/\/doi.org\/10.3390\/fi11030056","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2019,2,27]]}}}