Header Image

Securing RESTful Web Services

Standards-based security for Web Oriented Architectures

The Problem: REST Stacks have Poor Security Support

Pushed primarily by the developers on which they rely, Enterprise Architects have begun turning their attention to so-called Web Oriented Architecture (WOA) as primarily represented by REST-based Web services.

Representational State Transfer (REST) and resource orientation in general provide a lightweight approach to exposing Web APIs known as RESTful Web services, in which requesters and service implementations use HTTP to exchange resources formatted using common content types, such as PDF, XML, HTML and JSON.

While REST provides a quicker and easier way to instantiate Web services than the more traditional, SOAP-based/WS-* approach, lightweight REST stacks have difficulty accommodating sophisticated security requirements, such as:

  • Authenticating/authorizing RESTful requesters in a uniform manner
  • Integrating RESTful Web services with existing identity and access management infrastructure
  • Monitoring and auditing access to RESTful Web services
  • Enforcing service levels and quotas for RESTful Web services
  • Propagating credentials across RESTful Web services, machine to machine

Solution: XML Gateways

RESTful Web services are closely aligned with the Web and, as such, are subject to all the traditional, Web-based threats. Yet, just as for WS-* services, RESTful Web services can receive payloads and potential message-level threats, such as injections and parser attacks. While network-focused types of infrastructure (such as packet-based firewalls) can help protect against Web threats, they can’t help with message-level threats that require the ability to inspect XML-based content.

DMZ-based XML Gateways, such as Layer 7’s SecureSpan family of XML Gateways, have long been a staple of SOA architectures because of their ability to virtualize service endpoints, abstracting out all access to them except via the SecureSpan SOA Gateway. With SecureSpan deployed in the middle of the conversation between the requesting client and the backend Web service, it can act as a policy enforcement point, inspecting incoming and outgoing traffic for compliance, detecting message-level threats, and intercepting/blocking attacks before they cross the perimeter.


Layer 7 Value: SOAP & REST Security

Like their WS-* counterparts, RESTful Web services are also service endpoints, and can be virtualized by the SecureSpan Gateway. In such a WOA deployment, the SecureSpan SOA Gateway can perform JSON schema validation; evaluate content-level patterns using XPath expressions; validate XML Schema Definitions (XSD); perform Regular Expressions (RegEx); accommodate HTTP header filtering; and enable the enforcement of rules that take into consideration identity, URIs, HTTP Verbs, and more.

The SecureSpan SOA Gateway’s runtime logic also provides integration with IAM infrastructure, enabling authentication of requesters, as well as centralized management of service access. By delegating authentication and authorization of requesting entities to SecureSpan, organizations can ensure they are performed in a uniform fashion regardless of the backend implementing technology.