Next Article in Journal / Special Issue
Worldwide Connectivity for the Internet of Things Through LoRaWAN
Previous Article in Journal
Simulating Fog and Edge Computing Scenarios: An Overview and Research Challenges
Previous Article in Special Issue
SAES: An Introduction to Self-Adapting Exploratory Structures
Article Menu
Issue 3 (March) cover image

Export Article

Open AccessArticle

On the Need for a General REST-Security Framework

Data and Application Security Group, Cologne University of Applied Sciences, 50679 Cologne, Germany
Author to whom correspondence should be addressed.
Future Internet 2019, 11(3), 56;
Received: 19 December 2018 / Revised: 12 February 2019 / Accepted: 14 February 2019 / Published: 27 February 2019
(This article belongs to the Special Issue 10th Anniversary Feature Papers)
PDF [1099 KB, uploaded 27 February 2019]


Contemporary software is inherently distributed. The principles guiding the design of such software have been mainly manifested by the service-oriented architecture (SOA) concept. In a SOA, applications are orchestrated by software services generally operated by distinct entities. Due to the latter fact, service security has been of importance in such systems ever since. A dominant protocol for implementing SOA-based systems is SOAP, which comes with a well-elaborated security framework. As an alternative to SOAP, the architectural style representational state transfer (REST) is gaining traction as a simple, lightweight and flexible guideline for designing distributed service systems that scale at large. This paper starts by introducing the basic constraints representing REST. Based on these foundations, the focus is afterwards drawn on the security needs of REST-based service systems. The limitations of transport-oriented protection means are emphasized and the demand for specific message-oriented safeguards is assessed. The paper then reviews the current activities in respect to REST-security and finds that the available schemes are mostly HTTP-centered and very heterogeneous. More importantly, all of the analyzed schemes contain vulnerabilities. The paper contributes a methodology on how to establish REST-security as a general security framework for protecting REST-based service systems of any kind by consistent and comprehensive protection means. First adoptions of the introduced approach are presented in relation to REST message authentication with instantiations for REST-ful HTTP (web/cloud services) and REST-ful constraint application protocol (CoAP) (internet of things (IoT) services). View Full-Text
Keywords: SOA; services; security; REST; web services security; HTTP; IoT services security; CoAP; RACS SOA; services; security; REST; web services security; HTTP; IoT services security; CoAP; RACS

Figure 1

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).

Share & Cite This Article

MDPI and ACS Style

Lo Iacono, L.; Nguyen, H.V.; Gorski, P.L. On the Need for a General REST-Security Framework. Future Internet 2019, 11, 56.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics



[Return to top]
Future Internet EISSN 1999-5903 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top