Skip to main content

On the Security Expressiveness of REST-Based API Definition Languages

  • Conference paper
  • First Online:
Trust, Privacy and Security in Digital Business (TrustBus 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10442))

Included in the following conference series:


Modern software is inherently distributed. Applications are decomposed into functional components of which most are provided by third parties usually deployed as software services scattered around the network. Available services can be discovered and orchestrated by service consumers in a flexible and on-the-fly manner. To do so, a standardized specification of the service’s functionalities is required. Apart from functional aspects, such an interface definition language needs to offer expressions for specifying important non-functional facets in addition, such as security. With WSDL and WS-Security such a standardized service description language and a mature security framework are available for the SOAP domain. For REST-based web services such standards are, however, missing. To overcome these shortcomings, many distinct sources propose service description languages and security schemes for REST-based web services. This paper provides a systematic analysis of these languages with a specific focus on their ability to express security policies. The obtained results reveal substantial limitations in all analyzed specification languages.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions


  1. Erl, T.: SOA Principles of Service Design (The Prentice Hall Service-Oriented Computing Series from Thomas Erl). Prentice Hall PTR, Upper Saddle River (2007)

    Google Scholar 

  2. Leymann, F., Roller, D., Schmidt, M.T.: Web services and business process management. IBM Syst. J. 41(2), 198–211 (2002)

    Article  Google Scholar 

  3. Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., Lafon, Y.: SOAP Version 1.2 Part 1: Messaging Framework (2nd edn.). W3C Recommendation, W3C (2007).

  4. Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Services Description Language (WSDL) 1.1. W3C Note, W3C (2000).

  5. Nadalin, A., Goodner, M., Gudgin, M., Turner, D., Barbir, A., Granqvist, H.: WS-SecurityPolicy 1.3. Standard, OASIS (2012)

    Google Scholar 

  6. Fielding, R.T.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000)

    Google Scholar 

  7. Sun, S.T., Beznosov, K.: the devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: 19th ACM Conference on Computer and Communications Security (CSS) (2012)

    Google Scholar 

  8. Hardt, D.: The OAuth 2.0 Authorization Framework. RFC, IETF (2012).

  9. Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S.: HTML5 - a vocabulary and associated APIs for HTML and XHTML. Recommendation, W3C (2014).

  10. Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0 (5th edn.). Recommendation, W3C (2008).

  11. Bray, T.: The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7189, IETF.

  12. Shelby, Z., Hartke, K., Borman, C.: The Constrained Application Protocol (CoAP). RFC, IETF (2014).

  13. Lo Iacono, L., Nguyen, H.V.: Towards conformance testing of REST-based web services. In: 11th International Conference on Web Information Systems and Technologies (WEBIST) (2015)

    Google Scholar 

  14. Franks, J., Hallam-Baker, P.M., Hostetler, J.L., Lawrence, S.D., Leach, P.J., Luotonen, A., Stewart, L.C.: HTTP Authentication: Basic and Digest Access Authentication. RFC, IETF (1999).

  15. Hammer-Lahav, E.: The OAuth 1.0 Protocol. RFC, IETF (2010).

  16. Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. Specification, OpenID Foundation (2014).

  17. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC, IETF (2008).

  18. Lo Iacono, L., Nguyen, H.V.: Authentication scheme for REST. In: Doss, R., Piramuthu, S., Zhou, W. (eds.) FNSS 2015. CCIS, vol. 523, pp. 113–128. Springer, Cham (2015). doi:10.1007/978-3-319-19210-9_8

    Chapter  Google Scholar 

  19. Amazon: Signing AWS Requests By Using Signature Version 4 (2017).

  20. Google: Migrating from Amazon S3 to Google Cloud Storage (2017).

  21. Hewlett Packard: HP Helion Public Cloud Object Storage API Specification (2014).

  22. Microsoft: Authentication for the Azure Storage Services (2017).

  23. Chinnici, R., Moreau, J.J., Ryman, A., Weerawarana, S.: Web services description language (WSDL) version 2.0 part 1: core language. W3C Recommendation, W3C (2007).

  24. Lewis, A., Haas, H., Orchard, D., Weerawarana, S., Chinnici, R., Moreau, J.J.: Web Services Description Language (WSDL) Version 2.0 Part 2: Adjuncts. W3C Recommendation, W3C (2007).

  25. Verborgh, R., Harth, A., Maleshkova, M., Stadtmüller, S., Steiner, T., Taheriyan, M., Van de Walle, R.: Survey of semantic description of REST APIs. In: Pautasso, C., Wilde, E., Alarcon, R. (eds.) REST: Advanced Research Topics and Practical Applications, pp. 69–89. Springer, New York (2014). doi:10.1007/978-1-4614-9299-3_5

    Chapter  Google Scholar 

  26. Headley, M.: Web Application Description Language (WADL). W3C Member Submission, W3C (2009).

  27. Robie, J., Cavicchio, R., Sinnema, R., Wilde, E.: RESTful service description language (RSDL): describing RESTful services without tight coupling. In: Balisage: The Markup Conference 2013, Montréal, Canada, 6–9 August 2013

    Google Scholar 

  28. Robie, J., Sinnema, R., Zhou, W.: RESTful API Description Language (2016).

  29. Li, L., Chou, W.: Design and describe REST API without violating REST: a petri net based approach. In: 18th IEEE International Conference on Web Services (ICWS) (2011)

    Google Scholar 

  30. Open API Initiative: OpenAPI Specification (2016).

  31. SmartBear Software: Swagger Specification (2016).

  32. Ben-Kiki, O., Evans, C., dot Net, I.: YAML Aint Markup Language Version 1.2. Technical report (2009).

  33. RAML: RAML Version 1.0: RESTful API Modeling Language (2016).

  34. API Blueprint: API Blueprint Specification (2016).

  35. Apiary Inc.: Markdown Syntax for Object Notation. Technical report (2016).

  36. Leonard, S.: Guidance on Markdown: Design Philosophies, Stability Strategies, and Select Registrations. RFC, IETF (2016).

  37. Handl, R., Jeyaraman, R., Pizzo, M., Zurmuehl, M.: OData Version 4.0. Part 1: Protocol Plus Errata 03. OASIS Standard, OASIS (2016).

  38. Handl, R., Jeyaraman, R., Pizzo, M., Biamonte, M.: OData JSON Format Version 4.0 Plus Errata 03. OASIS Standard, OASIS (2016).

  39. Hartel, B., Jeyaraman, R., Zurmuehl, M., Pizzo, M., Handl, R.: OData Atom Format Version 4.0. OASIS Standard, OASIS (2013).

  40. TIBCA Software Inc.: I/O Docs community edition in Node.js. Technical report (2015).

  41. Kopecký, J., Gomadam, K., Vitvar, T.: hRESTS: an HTML microformat for describing RESTful web services. In: IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (WI-IAT) (2008)

    Google Scholar 

  42. Adida, B., Birbeck, M., McCarron, S.: RDFa Core 1.1 - 3rd edn. W3C Recommendation, W3C (2015).

  43. Maleshkova, M., Pedrinaci, C., Domingue, J., Alvaro, G., Martinez, I.: Using semantics for automating the authentication of web APIs. In: Patel-Schneider, P.F., Pan, Y., Hitzler, P., Mika, P., Zhang, L., Pan, J.Z., Horrocks, I., Glimm, B. (eds.) ISWC 2010. LNCS, vol. 6496, pp. 534–549. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17746-0_34

    Chapter  Google Scholar 

  44. Alarcon, R., Wilde, E.: Linking data from RESTful services. In: Third Workshop on Linked Data on the Web (2010)

    Google Scholar 

  45. Bellido, J., Alarcon, R., Sepulveda, C.: Web linking-based protocols for guiding RESTful M2M interaction. In: Harth, A., Koch, N. (eds.) ICWE 2011. LNCS, vol. 7059, pp. 74–85. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27997-3_7

    Chapter  Google Scholar 

  46. Sepulveda, C., Alarcon, R., Bellido, J.: QoS aware descriptions for RESTful service composition: security domain. World Wide Web 18(4), 767–794 (2015)

    Article  Google Scholar 

  47. Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: 2nd ACM Workshop on Digital Identity Management (DIM) (2006)

    Google Scholar 

  48. de Azevedo Muniz, B., Chaves, L.M., Lira, H.A., Dantas, J.R.V., Farias, P.P.M.: Serin an aproach to specify semantic abstract interfaces in the context of RESTful web services. In: IADIS International Conference WWW/Internet (2013)

    Google Scholar 

  49. Lanthaler, M.: Creating 3rd generation web APIs with hydra. In: 22nd International Conference on World Wide Web (WWW) (2013)

    Google Scholar 

  50. Lanthaler, M.: Hydra Core Vocabulary - A Vocabulary for Hypermedia-Driven Web APIs. Unofficial Draft, W3C (2017).

  51. Sporny, M., Longley, D., Kellogg, G., Lanthaler, M., Lindstrm, N.: JSON-LD 1.0 - A JSON-Based Serialization for Linked Data. W3C Recommendation, W3C (2014).

  52. Verborgh, R., Steiner, T., Van Deursen, D., Coppens, S., Vallés, J.G., Van de Walle, R.: Functional descriptions as the bridge between hypermedia APIs and the semantic web. In: 3rd International Workshop on RESTful Design (WS-REST) (2012)

    Google Scholar 

  53. Berners-Lee, T., Connolly, D.: Notation3 (N3): a readable RDF syntax. W3C Team Submission, W3C (2011).

  54. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012)

    Google Scholar 

  55. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: 19th ACM Conference on Computer and Communications Security (CCS) (2012).

  56. IETF JOSE Working Group: Javascript Object Signing and Encryption (JOSE) (2017).

  57. Urien, P.: Remote APDU Call Secure (RACS). Internet-Draft, IETF (2016).

  58. Gorski, P.L., Lo Iacono, L., Nguyen, H.V., Torkian, D.B.: Service security revisited. In: 11th IEEE International Conference on Services Computing (SCC) (2014)

    Google Scholar 

  59. Nguyen, H.V., Lo Iacono, L.: REST-ful CoAP message authentication. In: International Workshop on Secure Internet of Things (SIoT), in conjunction with the European Symposium on Research in Computer Security (ESORICS) (2015)

    Google Scholar 

  60. Nguyen, H.V., Lo Iacono, L.: RESTful IoT authentication protocols. In: u, M.H., Choo, K.R., (eds.) Mobile Security and Privacy - Advances Challenges and Future Research Directions. Advanced Topics in Information Security, 1st edn., pp. 217–234. Elsevier/Syngress (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Hoai Viet Nguyen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Nguyen, H.V., Tolsdorf, J., Lo Iacono, L. (2017). On the Security Expressiveness of REST-Based API Definition Languages. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2017. Lecture Notes in Computer Science(), vol 10442. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64482-0

  • Online ISBN: 978-3-319-64483-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics