On The Structure and Authorization Management of RESTful Web Services

Bojan Suzic; Bernd Prünster; Dominik Ziegler

doi:10.1145/3167132.3167315

On The Structure and Authorization Management of RESTful Web Services

Bojan Suzic, Bernd Prünster, Dominik Ziegler

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

A broad range of emerging business models relies on the continual exchange of data that flow among different services to generate additional value and derive knowledge in many domains. The magnitude of resource sharing that form the basis of these interactions raises new challenges concerning the effectivity of existing security and privacy management instruments in environments of such
complexity.

In this work, we examine the practical application of authorization management mechanisms employed over RESTful Web APIs, which today serve as a major approach to expose service interfaces on the web. For this purpose, we have examined the integration of security mechanisms in n=523 publicWeb APIs. Our findings reveal alarming integration patterns that demonstrate a rudimentary data security and privacy protection in cross-service resource sharing.
Our analysis traces the cause back to the (1) shallow models and security capabilities offered by service providers, and (2) design deficiencies of dominantly applied OAuth 2.0 web authorization framework that restrict capabilities and lower the interoperability of underlying management functions. Following the initial discussion, we summarize potential solutions and establish an outline of the future work.

Originalsprache	englisch
Titel	Proceedings of the 33rd Annual ACM Symposium on Applied Computing
Herausgeber (Verlag)	Association of Computing Machinery
DOIs	https://doi.org/10.1145/3167132.3167315
Publikationsstatus	Elektronische Veröffentlichung vor Drucklegung. - 2018

Schlagwörter

autorisierung
sicherheit
web services

ASJC Scopus subject areas

Information systems
Computernetzwerke und -kommunikation

Zugriff auf Dokument

10.1145/3167132.3167315

az-mainEndgültige, publizierte Fassung, 1,16 MB

A-SIT - Zentrum für sichere Informationstechnologie Austria
Stranacher, K., Dominikus, S., Leitold, H., Marsalek, A., Teufl, P., Bauer, W., Aigner, M. J., Rössler, T., Neuherz, E., Dietrich, K., Zefferer, T., Mangard, S., Payer, U., Orthacker, C., Lipp, P., Reiter, A., Knall, T., Bratko, H., Bonato, M., Suzic, B., Zwattendorfer, B., Kreuzhuber, S., Oswald, M. E., Tauber, A., Posch, R., Bratko, D., Feichtner, J., Ivkovic, M., Reimair, F., Wolkerstorfer, J. & Scheibelhofer, K.
21/05/99 → 6/08/20
Projekt: Arbeitsgebiet

On The Structure and Authorization Management of RESTful Web Services
Bojan Suzic (Redner/in), Bernd Prünster (Beitragende/r) & Dominik Ziegler (Beitragende/r)
13 Apr. 2018
Aktivität: Vortrag oder Präsentation › Vortrag bei Konferenz oder Fachtagung › Science to science

Dieses zitieren

@inproceedings{1da0749628f74f3f888f4eece086a216,

title = "On The Structure and Authorization Management of RESTful Web Services",

abstract = "A broad range of emerging business models relies on the continual exchange of data that flow among different services to generate additional value and derive knowledge in many domains. The magnitude of resource sharing that form the basis of these interactions raises new challenges concerning the effectivity of existing security and privacy management instruments in environments of suchcomplexity.In this work, we examine the practical application of authorization management mechanisms employed over RESTful Web APIs, which today serve as a major approach to expose service interfaces on the web. For this purpose, we have examined the integration of security mechanisms in n=523 publicWeb APIs. Our findings reveal alarming integration patterns that demonstrate a rudimentary data security and privacy protection in cross-service resource sharing.Our analysis traces the cause back to the (1) shallow models and security capabilities offered by service providers, and (2) design deficiencies of dominantly applied OAuth 2.0 web authorization framework that restrict capabilities and lower the interoperability of underlying management functions. Following the initial discussion, we summarize potential solutions and establish an outline of the future work.",

keywords = "autorisierung, sicherheit, web services, web services, web api, service security, cloud services, service integration",

author = "Bojan Suzic and Bernd Pr{\"u}nster and Dominik Ziegler",

year = "2018",

doi = "10.1145/3167132.3167315",

language = "English",

booktitle = "Proceedings of the 33rd Annual ACM Symposium on Applied Computing",

publisher = "Association of Computing Machinery",

address = "United States",

}

TY - GEN

T1 - On The Structure and Authorization Management of RESTful Web Services

AU - Suzic, Bojan

AU - Prünster, Bernd

AU - Ziegler, Dominik

PY - 2018

Y1 - 2018

N2 - A broad range of emerging business models relies on the continual exchange of data that flow among different services to generate additional value and derive knowledge in many domains. The magnitude of resource sharing that form the basis of these interactions raises new challenges concerning the effectivity of existing security and privacy management instruments in environments of suchcomplexity.In this work, we examine the practical application of authorization management mechanisms employed over RESTful Web APIs, which today serve as a major approach to expose service interfaces on the web. For this purpose, we have examined the integration of security mechanisms in n=523 publicWeb APIs. Our findings reveal alarming integration patterns that demonstrate a rudimentary data security and privacy protection in cross-service resource sharing.Our analysis traces the cause back to the (1) shallow models and security capabilities offered by service providers, and (2) design deficiencies of dominantly applied OAuth 2.0 web authorization framework that restrict capabilities and lower the interoperability of underlying management functions. Following the initial discussion, we summarize potential solutions and establish an outline of the future work.

AB - A broad range of emerging business models relies on the continual exchange of data that flow among different services to generate additional value and derive knowledge in many domains. The magnitude of resource sharing that form the basis of these interactions raises new challenges concerning the effectivity of existing security and privacy management instruments in environments of suchcomplexity.In this work, we examine the practical application of authorization management mechanisms employed over RESTful Web APIs, which today serve as a major approach to expose service interfaces on the web. For this purpose, we have examined the integration of security mechanisms in n=523 publicWeb APIs. Our findings reveal alarming integration patterns that demonstrate a rudimentary data security and privacy protection in cross-service resource sharing.Our analysis traces the cause back to the (1) shallow models and security capabilities offered by service providers, and (2) design deficiencies of dominantly applied OAuth 2.0 web authorization framework that restrict capabilities and lower the interoperability of underlying management functions. Following the initial discussion, we summarize potential solutions and establish an outline of the future work.

KW - autorisierung

KW - sicherheit

KW - web services

KW - web api

KW - service security

KW - cloud services

KW - service integration

U2 - 10.1145/3167132.3167315

DO - 10.1145/3167132.3167315

M3 - Conference paper

BT - Proceedings of the 33rd Annual ACM Symposium on Applied Computing

PB - Association of Computing Machinery

ER -

On The Structure and Authorization Management of RESTful Web Services

Abstract

Schlagwörter

ASJC Scopus subject areas

Zugriff auf Dokument

Fingerprint

Projekte

A-SIT - Zentrum für sichere Informationstechnologie Austria

Aktivitäten

On The Structure and Authorization Management of RESTful Web Services

Dieses zitieren