8/2/2019 Layer 7 for REST Security
1/2
REST Security Solution Sheet
Standards-based Security for Web Oriented Architectures
A single solution simplifies the implementation of security for
both REST and WS-* Web Services
The ProblemRepresentational State Transfer (REST) and resource
orientation in general provide a lightweight approach to exposing
Web
APIs known as RESTful Web services. A key component of Web
Oriented Architectures, REST requesters and service
implementations use HTTP to exchange resources formatted using
common content types, such as PDF, XML, HTML and
JSON. But while developers appreciate the fact that REST
provides them with a quicker and easier way to instantiate Web
services than the more traditional, SOAP-based/WS-* approach,
most of them also recognize that REST lacks a well-
articulated security model.
The Layer 7 SolutionRESTful Web services are closely aligned
with the Web and, as such, are subject to all the traditional,
Web-based threats. Yet,
just as for WS-* services, RESTful Web services can receive
payloads and potential message-level threats, such as
injections
and parser attacks.
Layer 7s SecureSpan family of XML Gateways can virtualize
service endpoints, ensuring that access to RESTful and WS-* Web
services can only occur via the SecureSpan Gateway. Gateway
policies act on each incoming message, validating compliance
with application-specific conditions, such as URI patterns,
content level patterns (evaluated using XPath expressions),
XMLSchema Definitions (XSD), Schematron, JSON schemas, Regular
Expressions (RegEx), HTTP header filtering, and more.
The SecureSpan XML Gateways runtime logic also provides
integration with IAM infrastructure, enabling authentication of
requesters, as well as centralized management of service access.
By delegating authentication and authorization of
requesting entities to SecureSpan, organizations can ensure they
are performed in a uniform fashion regardless of the
backend implementing technology. Additionally, SecureSpan XML
Gateways can also provide a monitoring layer to validate
Quality of Service (QoS), and enforce service levels in real
time.
For RESTful Web services, how can
you:
Authenticate/authorize RESTfulrequesters in a uniform
manner?
Integrate RESTful Web services withexisting identity and
access
management infrastructure?
Monitor and audit access to RESTfulWeb services?
Enforce service levels and quotasfor RESTful Web services?
8/2/2019 Layer 7 for REST Security
2/2
Copyright 2011 Layer 7 Technologies Inc. All rights reserved.
SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and
copyrights are the property of their respective owners.
Key Features
Identity and Message Level Security
Identity-based access to
services and operations
Integration with leading identity, access, SSO and federation
systems from Oracle, Sun,Microsoft, CA, IBM Tivoli, Novell
Enforce fine-grained entitlement decisions authored in an XACML
PDPManage security for cross-
domain and B2B
relationships
Credential chaining, credential remapping and support for
federated identity Integrated SAML STS issuer featuring support for
SAML 1.1/2.0 authentication,
authorization and attribute based policies and Security Context
Tokens
Integrated PKI CA for automated deployment and management of
client-sidecertificates, and integrated RA for external CAs STS
support for WS-Trust and WS-Federation
Secure REST, WSDL and POX
interfaces
Selectively control access to interfaces down to an operation
level Create on-the-fly composite WSDL views tailored to specific
requestors Out of the box support for popular Cloud & SaaS
interfaces from SFDC & Amazon Service look-up and publications
using WSIL and UDDI
Audit transactions Log message-level transaction information
Spool log data to off-board data stores and management systems
Threat Protection
Filter XML content for SOA,
Web 2.0 and Cloud
Configurable validation & filtering of HTTP headers,
parameters and form data Detection of classified or dirty words or
arbitrary signatures with subsequent
scrubbing, rejection or redaction of messages Support for REST,
AJAX, XML, SOAP, POX and other XML-based services
Prevent XML attack and
intrusion
Protect against XML parsing; XDoS and OS attacks; SQL and
malicious scripting languageinjection attacks; external entity
attacks
Protection against XML content tampering and viruses in SOAP
attachments DoD STIG vulnerability tested and assured
Transactional Integrity
Protection
Protect against identity spoofing and session hijacking
cluster-wide Assure integrity of communication end-to-end
Traffic Management
Throttling Granular rate limiting and traffic shaping based on
number of requests or serviceavailability across a cluster
Cluster-wide counters Persist message counters across clusters
so that rate limiting and traffic shaping can bestrictly enforced
in high availability configurations
CoS for XML Prioritize XML traffic based on Class of
Service/Quality of Service preferencesService availability
management
Manage routing to back-end services based on availability or
latency performanceReporting and analysis Configurable,
out-of-the-box reports provide insight into SSG operations,
service-level
performance, and user experience
Supported Standards
XML, JSON, SOAP, REST, PCI-DSS, AJAX, XPath, XSLT, WSDL, XML
Schema, LDAP, SAML, XACML, OAuth, PKCS, X.509
Certificates, FIPS 140, Kerberos, W3C XML Signature, W3C XML
Encryption, SSL/TLS, SNMP, SMTP, POP3, IMAP4,
HTTP/HTTPS, JMS, MQ Series, Tibco EMS, FTP, WS-Security,
WS-Trust, WS-Federation, WS-SecureExchange, WS-
Addressing, WS-SecureConversation, WS-MetadataExchange,
WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment,
WSIL, WS-I, WS-I BSP, UDDI, WSRR, MTOM, IPv6, WCF
To learn more about Layer 7 call us today at +1 800.681.9377
(toll free within North America) or
+1.604.681.9377. You can also email us at [email protected];
friend us on facebook.com/layer7; visit us
at layer7.com, or follow-us on twitter @layer7.
