A Novel Approach to Implement Message Level Security in RESTful Web Services

Abstract: The world is rapidly adopting RESTful web services for most of its tasks. The once popular SOAP-based web services are fast losing ground owing to this. RESTful web services are light weight services without strict message formats. RESTful web services, unlike SOAP, are capable of message transfer in any format be it XML, JSON, plain text. However, in spite of these positives, ensuring message level security in REST is a challenge. Security in RESTful web services is still largely dependent upon transport layer security. There has been some work recently towards message level security in such environments wherein the transfer of message level security metadata is done through utilising new HTTP headers. We feel, however, that any method that compromises the generality of the HTTP protocol should be avoided. In this paper, therefore, we propose two new ways of encryption that promise to ensure message level security in RESTful web services without the need for special HTTP headers. This approach works seamlessly on most famous content-types of RESTful web services: XML, JSON, HTML, plain-text and various ASCII printable content types. Further, the proposed approach removes the need for content negotiation in cases where the content comprises XML, JSON, HTML, plain-text, and ASCII printable content types and also removes the need for XML or JSON canonicalization.