Building Security To REST API
Building Security To REST API
Volume 3, Issue 5, May – 2018 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Building Security to REST API
Swetha R Kavitha S N
M Tech Scholar Assistant Professor
Dept of Information Science and Engineering Dept of Information Science and Engineering
R V College of Engineering, Bengaluru R V College of Engineering, Bengaluru
Abstract:- REST stands for Representational State Restful applications use HTTP requests to perform
transfer which is an architectural style designed for web CRUD operation such as to post, read, update, and delete data.
services that are loosely coupled. It is principally used to The web is defined by REST as distributed hypermedia i.e.,
develop light weight, quick, adaptable and simple to keep hyperlinks within hypertext whose resources communicate by
up, web services that often utilize HTTP for exchanging their resource states through representations.
communication. Industries are enormously dependent and REST resembles a three-wheeler that depends on Resources,
accepting REST based architectures due to its ease of use. Representations and Verbs.
The REST web services must be secured from various
forms of web attacks due to its light weight nature. Since A. Resources
REST is stateless in nature, the techniques for securing The fundamental elements of the web platform are
these services are different from standard web application known as Resources. Every resource consists of unique
which is managed by session management, but in the case identifier called as universal resource identifier(URI). In
of REST, the calling point may or may not be a web REST web services nouns are used to identify a type of
browser, so no session can be maintained. There are resource. For e.g. employee details can be accessed using the
several mechanisms to secure REST based web services. In URL: http//Emp_service/Emp/1.
this study the focus is on: HTTP Basic, Digest B. Verbs
Authentication, OAuth 2. HTTP verbs depict the action needed to be performed
on the host. The number of actions client can trigger on the
host are:
I. INTRODUCTION
The enterprises are quickly moving towards the GET: retrieve an existing resource
advancement of decentralized, flexible and layered application POST: Creates a new resource
architecture(E.g. SOA) which can provide solutions to clients PUT: modifies an existing resource
on cross platform environments. To make the transition, the DELETE: removes an existing resource
treatment of application level of security is considered as a
C. Representations
major threat. The security of application has turned out to be
It is a way in which resources can be showcased to
critical since the rise of web 2.0.
clients. REST supports multiple formats without any
There has been an explosion of public API ‘s due to restrictions such as: HTML, XML, JSON, Plain Text, GIF,
the adoption of ease and openness, which enables developers JPEG etc.
to call the functions and its data from multiple services to
III. FRAMEWORK AND IMPLEMENTATION
create new applications. The Google decoding and Facebook
APIs are Representational State Transfer (REST) based web REST web services are built using Model View
services. As anyone might expect, the application engineers Controller (MVC) framework. The model-view-controller
have started to exploit this innovation to encourage business architecture and ready components are provided by spring web
forms in enterprises. MVC framework that can be used to develop web applications
which are flexible and loosely coupled. The MVC pattern
The REST APIs security is still in question and not
separates the different aspects of the application (input logic,
mature due to following reasons:
business logic, and UI logic), while providing a loose coupling
There are nopre-defined security methods for REST between these elements.
architecture. So, developers define their own side of
The Model consists of POJO in general and encapsulates
implementation.
the application data.
REST API is vulnerable to the same class of web attacks
The View oversees rendering the model data and in
as standard web-based application which include:
general it produces HTML output that is interpreted by
Injection attacks, Replay attacks, Cross-site scripting,
client’s browser.
Broken authentication etc.
The Controller is responsible for processing client
II. TECHNOLOGY BACKGROUND requests and developing appropriate model and passing it
to the view for rendering.
IJISRT18MY63 www.ijisrt.com 172
Volume 3, Issue 5, May – 2018 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
The Spring Web model-view-controller (MVC)
framework is designed around a Dispatcher Servlet that
handles all the HTTP requests and responses.
Fig 2:- Basic Authentication
Fig 1:- Spring MVC flow The problem with Basic Authentication is it transmits
password as a plain text, though, base64 encoded it can be
The figure 1. depicts spring MVC flow where, the easily decoded. Therefore, Basic authentication must be used
Dispatcher Servlet will receive user request and with the help in HTTPS environment only.
of Handler Mapping it identifies the Controller class name
B. OAuth2
associated with the given request, so that request transfers to
OAuth2 is a standard authorization protocol which is
the controller.
based on access token concept. It enables applications to
The Controller will process the request by executing communicate with the securely hosted resources in third party
appropriate methods and returns Mode And View object services without requiring the resource owners to share their
(contains Model data and View name) back to the Dispatcher passwords.
Servlet. The view (which can be JSP) is then resolved by
The Figure 3 depicts the working of OAuth2 protocol
Front Controller by consulting the View Resolver object.
where a user passes credentials to the Authorization server. It
The selected view is then rendered to the Dispatcher authenticates the user and generates an access token with a
Servlet and back to the client. limited period and a refresh token to the user as a response.
The user calls Resource server to access protected resources
Security for REST API can be built in multiple ways by passing the access token in the header. The refresh token is
such as Basic Authentication, OAuth2 and Digest used to renew the expired access token.
authentication.
The Resource server extracts and validates the token
A. Basic Authentication with Authorization Server. The user gets access to the
In Basic Authentication the username and password protected resources if the authorization is successful.
are base65 encoded. It is stateless in nature as it does not keep
track of user sessions and therforebase64 encoded username
and password must be sent in each API request. The server
adds WWW-Authenticate: Basic realm="messages" to the
header of the response where Basic indicates that it is a Basic
Authentication, and realm is a string that indicates which part
of the site is protected as shown in the Figure 2.
The authorization header is decoded using base64
end in the server end and username and password are
extracted. The user can access protected resources if the
authentication is successful.
Fig 3:- OAuth2 Protocol
IJISRT18MY63 www.ijisrt.com 173
Volume 3, Issue 5, May – 2018 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
vulnerabilities and attack vectors providing safe and secured
REST based APIs.
C. Digest Authentication
Digest Authentication is called as challenge-response
protocol to authenticate users. It uses MD5 cryptographic
hashing algorithm combined with nonce values to hide the REFERENCES
password information from replay or malicious attacks. [1]. Security provisioning for RESTful web services, Bhumi
The Figure 4. depicts the working of Digest N. Nakhuva,Tushar A, from Department of Computer
Authentication where the client sends a request to the server Science, L. D. College of Engineering, Ahmedabad,
for protected resources. The server challenges the client to Proceedings of 2017 IEEE conference
authenticate and sends the required information like realm and [2]. Study on REST API Test Model Supporting Web Service
nonce to the client. The client calculates the response value Integration, Hu Wenhui, Huang Yu, Center for Software
and sends it together with a username, realm, URI and nonce Eng., Peking Univ., Beijing, China, 2017 IEEE
to the server. The server computes the hash on its own and conference
compares the two. If they match, it sends the requested datato [3]. Nonce-based authenticated key establishment over OAuth
the client. 2.0, Renzo E. Navas, Manuel Lagos, 2016 IEEE
conference
[4]. Al Shahwan F, and Moessner,K. 2016.Providing SOAP
Web Services and Restful Web Services from Mobile
Hosts. Internet and Web Applications and Services
(ICIW), 2010 Fifth International Conference
[5]. F. Belqasmi, C. Fu, and R. Glitho. 2015.RESTful Web
Services for Service Provisioning in Next Generation
Networks, A Survey. IEEE Communications Magazine,
Vol. no 49, No12, pp.66-73.
[6]. R. Fielding. 2015. Architectural Styles and the Design of
Network-based Software Architectures, PhD thesis,
University of Califormia, Irvine, USA.
[7]. Ricardo van den Broek. 2014. Comparing the
performance of SOAP and REST PHP clients. 14th
Twente Student Conference on IT, Enschede,
Netherlands.
[8]. Tsenov M. 2013.Web Services Example with PHP/SOAP.
International Conference on Computer Systems and
Fig 4:- Digest Authentication Technologies - CompSysTech’2010, Veliko Tarnovo ,
Bulgaria, pp. IIIA.10-6.
In summary, Digest Authentication does not send
passwords in the plain text over the network, due to which
replay attacks are prevented and it guards against message
tampering.
IV. CONCLUSION
The security for REST is much required due to its
flexible nature. Therefore, it validates the user who access the
services in various ways. OAuth and Digest authentication are
few methods of building security to REST APIs which are
more secure than Basic authentication.
The Basic Authentication can be more secure than
Digest when combined with SSL.
Currently, developers areusing OAuth protocol to
secure most of the REST APIs but, in coming years there will
be many other authentication methods with different
cryptographic techniques that will strive against security
