Abstract
With the rise in initiatives such as software ecosystems and Internet of Things (IoT), developing robust web Application Programming Interfaces (web APIs) has become an increasingly important practice. One main concern in developing web APIs is that they expose back-end systems and data toward clients. This exposure threatens critical non-functional requirements, such as the security of back-end systems, the performance of provided services, and the privacy of communications with clients. Although dealing with non-functional requirements during software design has been long studied, there is still little guide on addressing these requirements in web APIs. In this paper, we present WEBAPIK, a body of structured knowledge on addressing non-functional requirements in the design of web APIs. WEBAPIK is comprised of 27 distinct non-functional requirements, 37 distinct design techniques to address some of the identified requirements, and the trade-offs of 22 design techniques, presented in two forms of natural language and knowledge graphs. The design knowledge compiled in WEBAPIK is systematically extracted and aggregated from 80 heterogeneous online literature resources, including 7 books, 15 weblogs and tutorial, 5 vendor white papers, 6 design standards, and 47 research papers. These resources are systematically retrieved from two search engines of Google and Google Scholar and five research databases of Web of Science, IEEE Xplore, ACM Digital Library, SpringerLink, and ScienceDirect in two periods of March to August 2018 and August 2022. WEBAPIK gathers and structures expert and scholarly discussions to provide insight about addressing non-functional requirements in the design of web APIs. The structure brought to the design knowledge makes it amenable towards extension and creates the potential for employing it in the database of knowledge-based systems that aid software developers in design decision-making.
Similar content being viewed by others
Notes
The * symbol identifies variations of the search term, e.g., the plural form of a noun or gerund form of a verb.
X .509 is proposed and implemented for communications over internet, and with HTML and REST APIs. However, we expose and focus on the general mutual authentication pattern used in this mechanism.
References
Jansen S, Finkelstein A, Brinkkemper S (2009) A sense of community: a research agenda for software ecosystems. In: Proceedings of 31st international conference on software engineering—companion volume, IEEE. pp 187–190
Sadi MH, Yu E (2014) Analyzing the evolution of software development: from creative chaos to software ecosystems. In: Eighth international conference on research challenges in information science (RCIS), IEEE. pp 1–11
Tan L, Wang N (2010) Future internet: the internet of things. In: 2010 3rd international conference on advanced computer theory and engineering (ICACTE), IEEE. vol 5, pp V5–376
Bosch J (2010) Architecture challenges for software ecosystems. In: Proceedings of the fourth European conference on software architecture: companion volume, ACM. pp 93–95
Vukovic M, Laredo J, Rajagopal S (2014) API terms and conditions as a service. In: 2014 IEEE international conference on services computing, IEEE. pp 386–393
Weber RH (2010) Internet of Things-New security and privacy challenges. Comput Law Secur Rev 26(1):23–30
Sicari S, Rizzardi A, Grieco LA, Coen-Porisini A (2015) Security, privacy, and trust in Internet of Things: the road ahead. Comput Netw 76:146–164
Stylos J, Myers B (2007) Mapping the space of API design decisions. In: Visual languages and human-centric computing, 2007. VL/HCC 2007. In: IEEE symposium on IEEE. pp 50–60
Myers BA, Stylos J (2016) Improving API usability. Commun ACM 59(6):62–69
Siriwardena P (2014) Advanced API security: securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE Apress, Berkeley, CA
De B (2017) API management: an Architect's guide to developing and managing APIs for your organization, 1st edn. Apress, Berkeley, CA March 2017
Vijayakumar T (2018) Practical API architecture and development with Azure and AWS. Apress, Berkeley, CA
Madden N (2020) API security in action. Manning Publications, New York
Richardson C Pattern: API Gateway. Backend for Front-End, 37-40, Available at http://microservices.io/patterns/apigateway.html
RFC 6749 (2012) The OAuth 2.0 authorization framework, Available at https://www.rfc-editor.org/rfc/rfc6749.
Sakimura N, Bradley D, de Mederiso B, Jones M, Jay E (2012) OpenID connect standard 1.0-draft 09, Available at https://openid.net/specs/openid-connect-standard-1_0-09.html.
Sun ST, Beznosov K (2012) The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM conference on Computer and communications security, ACM. pp 378–390
Li W, Mitchell CJ (2016) Analyzing the security of Google’s implementation of OpenID Connect. In: International conference on detection of intrusions and malware, and vulnerability assessment, Springer, Cham. pp 357–376
Cataldo M, Herbsleb JD (2010) Architecting in software ecosystems: interface translucence as an enabler for scalable collaboration. In: Proceedings of the fourth European conference on software architecture: companion volume, ACM. pp 65–72
Bloch J (2006) How to design a good API and why it matters. In: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications, ACM. pp 506–507
Henning M (2009) API design matters. Commun ACM 52(5):46–56
Kitchenham B (2004) Procedures for performing systematic reviews. Keele, UK, Keele University, Technical report TR/SE-0401, 1–26
Dyba T, Kitchenham BA, Jorgensen M (2005) Evidence-based software engineering for practitioners. IEEE Softw 22(1):58–65
Wohlin C (2014) Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: Proceedings of the 18th international conference on evaluation and assessment in software engineering, pp 1–10
Flick U (2009) An introduction to qualitative research. Sage, Thousand Oaks
Saldaña J (2009) The coding manual for qualitative researchers. Sage, Thousand Oaks
Thomas DR (2006) A general inductive approach for analyzing qualitative evaluation data. Am J Eval 27(2):237–246
Hogan A, Blomqvist E, Cochez M, d’Amato C, de Melo G, Gutierrez C, Labra Gayo JE, Kirrane S, Neumaier S, Polleres A, Navigli R, Ngonga Ngomo AC, Rashid SM, Rula A, Schmelzeisen L, Sequeda J, Staab S, Zimmermann A (2020) Knowl Graphs ACM Comput Surv (CSUR) 54(4):1–37
Sadi M H (2020) Assisting with API design through reusing design knowledge. Doctoral dissertation, University of Toronto (Canada)
Pillai S, Iijima K, O’Neill M, Santoro J, Jain A, Ryan F (2021) Magic quadrant for full life cycle API management. The Gartner Group
Chung L, Nixon BA, Yu E, Mylopoulos J (2000) Non-functional requirements in software engineering, vol 5. Springer, Berlin
Gamma E, Helm R, Johnson R, Vlissides J (1993) Design patterns: abstraction and reuse of object-oriented design. In: European conference on object-oriented programming, pp 406–431
ISO/IEC TS 25011: 2017 Information technology—systems and Software Quality Requirements and Evaluation (SQuaRE)—service quality models, Available at: https://www.iso.org/obp/ui#iso:std:iso-iec:ts:25011:ed-1:v2:en.
Bass L, Clements P, Kazman R (2003) Software architecture in practice. Addison-Wesley Professional, Boston
Kruchten PB (1995) The 4+1 view model of architecture. IEEE Softw 12(6):42–50
Akana Documents, How to Accelerate API adoption—available at https://www.akana.com/blog/api-adoption on 2019-08-13
Bermbach D, Wittern E (2016) Benchmarking web API quality. In: International conference on web engineering. Springer, Cham, pp 188–206
Zghidi A, Hammouda I, Hnich B, Knauss E (2017) On the role of fitness dimensions in API design assessment-an empirical investigation. In: 2017 IEEE/ACM 1st international workshop on API usage and evolution (WAPI). IEEE, pp 19–22
Richardson C Building Micro-Services: Inter-process communication in a micro-service architecture, Available at https://www.nginx.com/blog/building-microservices-inter-process-communication/
McLellan SG, Roesler AW, Tempest JT, Spinuzzi CI (1998) Building more usable APIs. IEEE Softw 15(3):78–86
Robillard MP (2009) What makes APIs hard to learn? Answers from developers. IEEE Softw 26(6):27–34
Robillard MP, Deline R (2011) A field study of API learning obstacles. Empir Softw Eng 16(6):703–732
Piccioni M, Furia CA, Meyer B (2013) An empirical study of API usability. In: 2013 ACM/IEEE international symposium on empirical software engineering and measurement, IEEE. pp 5–14
Zibran MF, Eishita FZ, Roy CK (2011) Useful, but usable? factors affecting the usability of APIs. In: 18th working conference on reverse engineering (WCRE), 2011, IEEE. pp 151–155
Scheller T, Kühn E (2015) Automated measurement of API usability: the API concepts framework. Inf Softw Technol 61:145–162
Koçi R, Franch X, Jovanovic P, Abelló A (2020) A data-driven approach to measure the usability of web APIs. In: 2020 46th Euromicro conference on software engineering and advanced applications (SEAA), IEEE. pp 64–71
Bore C, Bore S (2005) Profiling software API usability for consumer electronics. In: 2005 digest of technical papers. International conference on consumer electronics, 2005. ICCE, IEEE. pp 155–156
Rama GM, Kak A (2015) Some structural measures of API usability. Softw Pract Exp 45(1):75–110
Rauf I, Troubitsyna E, Porres I (2019) Systematic mapping study of API usability evaluation methods. Comput Sci Rev 33:49–68
Mosqueira-Rey E, Alonso-Ríos D, Moret-Bonillo V, Fernández-Varela I, Álvarez-Estévez D (2018) A systematic approach to API usability: taxonomy-derived criteria and a case study. Inf Softw Technol 97:46–63
Grill T, Polacek O, Tscheligi M (2012) Methods towards API usability: a structural analysis of usability problem categories. In: International conference on human-centered software engineering. Springer, Berlin, pp 164–180
Xu J, Wang Y, Chen P, Wang P (2017) Lightweight and adaptive service API performance monitoring in highly dynamic cloud environment. In: 2017 IEEE international conference on services computing (SCC), IEEE. pp 35–43
Bermbach D, Wittern E (2019) Benchmarking web API quality—revisited. arXiv preprint arXiv:1903.07712
Adeborna E, Fletcher KK (2020) An empirical study of web API quality formulation. In: International conference on services computing. Springer, Cham, pp. 145–153
MuleSoft. Guide to API Security, Available at https://www.mulesoft.com/resources/api/api-security. Retrieved on 2022-08-15
Villanueva JC. Comparing load balancing algorithms. Available at https://www.jscape.com/blog/load-balancing-algorithms
Kemp Technologies White Paper. Load balancing algorithms and techniques, Available at https://kemptechnologies.com/load-balancer/load-balancing-algorithms-techniques/
Microsoft Documents. Caching, Available at https://docs.microsoft.com/en-us/azure/architecture/best-practices/caching
Richardson C. Building Micro-services: Using an API Gateway, Available at https://www.nginx.com/blog/building-microservices-using-an-api-gateway/
Fowler M (2002) Patterns of enterprise architecture applications, 1st edn. Addison-Wesley Professional, Boston
Fowler M Gateway Pattern, Available at https://martinfowler.com/eaaCatalog/gateway.html
Richardson C Service Discovery in a Micro-Service Architecture. Available at https://www.nginx.com/blog/service-discovery-in-a-microservices-architecture/
Richardson C Pattern: Self Registration. Available at https://microservices.io/patterns/self-registration.html
Richardson C Pattern: 3rd Party Registration. Available at https://microservices.io/patterns/3rd-party-registration.html
Dey S, Mulloy B (2012) Essential facade patterns—API composition. Available at https://www.slideshare.net/apigee/api-facade-patterns-composition
Richardson C (2017) Pattern: API composition, Available at https://microservices.io/patterns/data/api-composition.html. Retrieved on 2022-08-10
Dey S (2012) Essential API Facade Patterns—synchronous to asynchronous conversion. Available at https://www.slideshare.net/apigee/essential-api-facade-patterns-synchronous-to-asynchronous-conversion-episode-4
Richardson C Pattern: Server-Side Service Discovery. https://microservices.io/patterns/server-side-discovery.html
Richardson C Pattern: Client-Side Service Discovery. Available at https://microservices.io/patterns/client-side-discovery.htmlhttps://microservices.io/patterns/client-side-discovery.html
Hohpe G, Woolf B Enterprise Integration Patterns. Available at https://www.enterpriseintegrationpatterns.com/patterns/messaging/index.html
Hohpe G, Woolf B (2004) Enterprise integration patterns: designing, building, and deploying messaging solutions. Addison-Wesley Professional, Boston
RFC 4158: Internet X509, Public key infrastructure: certification path building, Available at https://tools.ietf.org/html/rfc4158
RFC 5280: Internet X509, Public key infrastructure and certificate revocation list, Available at https://www.rfc-editor.org/rfc/rfc3280
OAuth 2.0, Available at https://oauth.net/2/
OpenID Connect, Available at https://openid.net/connect/
Google Cloud. Why and when to use API keys, Available at https://cloud.google.com/endpoints/docs/openapi/when-why-api-key
Stocker M, Zimmermann O, Zdun U, Lübke D, Pautasso C (2018) Interface quality patterns: communicating and improving the quality of microservices Apis. In: Proceedings of the 23rd European conference on pattern languages of programs, pp 1–16
Tang L, Ouyang L, Tsai WT (2015) Multi-factor web API security for securing Mobile Cloud. In: 2015 12th international conference on fuzzy systems and knowledge discovery (FSKD), IEEE. pp 2163–2168
Fowler, M Circuit Breaker, Available at https://martinfowler.com/bliki/CircuitBreaker.html
Montesi F, Weber J (2016) Circuit breakers, discovery, and API gateways in microservices. arXiv preprint, arXiv:1609.05830
Apigee Reference Material. Comparing Quota, Spike Arrest, and Concurrent Rate Limit Policies, Available at https://docs.apigee.com/api-platform/develop/comparing-quota-spike-arrest-and-concurrent-rate-limit-policies
Wilson Y, Hingnikar A (2019) Solving identity management in modern applications: demystifying OAuth 2.0, OpenID Connect, and SAML 2.0. Apress
Fett D, Küsters R, Schmitz G (2016) A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 1204–1215
Yang F, Manoharan S (2013) A security analysis of the OAuth protocol. In: 2013 IEEE Pacific Rim conference on communications, computers and signal processing (PACRIM), IEEE. pp 271–276
Li W, Mitchell CJ (2014) Security issues in OAuth 2.0 SSO implementations. In: International conference on information security. Springer, Cham. pp 529–541
Ferry E, Raw JO, Curran K (2015) Security evaluation of the OAuth 2.0 framework. Information and Computer Security
Darwish M, Ouda A (2015) Evaluation of an OAuth 2.0 protocol implementation for web server applications. In: 2015 International conference and workshop on computing and communication (IEMCON). IEEE, pp 1–4
Singh J, Chaudhary NK (2022) OAuth 2.0: architectural design augmentation for mitigation of common security vulnerabilities. J Inf Secur Appl 65:103091
Blazquez A, Tsiatsis V, Vandikas K (2015) Performance evaluation of OpenID Connect for an IOT information market-place. In: 2015 IEEE 81st, Vehicular Technology Conference (VTC Spring), pp 1–6
Hammann S, Sasse R, Basin D (2020) Privacy-preserving openid connect. In: Proceedings of the 15th ACM Asia conference on computer and communications security, pp 277–289
Li W, Mitchell CJ (2020) User access privacy in OAuth 2.0 and OpenID connect. In: 2020 IEEE European symposium on security and privacy workshops (EuroSandPW), IEEE. pp 664–6732
Mainka C, Mladenov V, Schwenk J, Wich T (2017) Sok: single sign-on security—an evaluation of openid connect. In: 2017 IEEE European symposium on security and privacy (EuroSandP), IEEE. pp 251–266
Fett D, Küsters R, Schmitz G (2017) The web SSO standard openid connect: in-depth formal security analysis and security guidelines. In: 2017 IEEE 30th computer security foundations symposium (CSF), IEEE. pp 189–202
Navas J, Beltrán M (2019) Understanding and mitigating OpenID connect threats. Comput Secur 84:1–16
Li W, Mitchell CJ, Chen T (2019) Oauthguard: Protecting user security and privacy with oauth 2.0 and openid connect. In: Proceedings of the 5th ACM workshop on security standardisation research workshop, pp 35–44
Mladenov V, Mainka C, Schwenk J (2015) On the security of modern single sign-on protocols: second-order vulnerabilities in openid connect. arXiv preprint arXiv:1508.04324.
Behnel S, Fiege L, Muhl G (2006) On quality-of-service and publish-subscribe. In: 26th IEEE international conference on distributed computing systems workshops (ICDCSW'06), IEEE. pp 20–20
Cugola G, Margara A, Migliavacca M (2009) Context-aware publish-subscribe: model, implementation, and evaluation. In: 2009 IEEE symposium on computers and communications, IEEE. pp 875–881
Costa P, Migliavacca M, Picco GP, Cugola G (2004) Epidemic algorithms for reliable content-based publish-subscribe: an evaluation. In: 24th international conference on distributed computing systems, 2004. Proceedings, IEEE, pp 552–561
Lazidis A, Tsakos K, Petrakis EG (2022) Publish-Subscribe approaches for the IoT and the cloud: functional and performance evaluation of open-source systems. Internet of Things 19:100538
Oh S, Kim JH, Fox G (2010) Real-time performance analysis for publish/subscribe systems. Futur Gener Comput Syst 26(3):318–323
Wardana AA, Perdana RS (2018) Access control on internet of things based on publish/subscribe using authentication server and secure protocol. In: 2018 10th international conference on information technology and electrical engineering (ICITEE), IEEE. pp 118–123
Taibi D, Lenarduzzi V, Pahl C (2018) Architectural patterns for microservices: a systematic mapping study. In: CLOSER 2018: proceedings of the 8th international conference on cloud computing and services science; Funchal, Madeira, Portugal, 19–21 March 2018. SciTePress
Tighilt R, Abdellatif M, Moha N, Mili H, Boussaidi GE, Privat J, Guéhéneuc YG (2020) On the study of microservices antipatterns: a catalog proposal. In: Proceedings of the European conference on pattern languages of programs 2020, pp 1–13
Siegmund J, Siegmund N, Apel S (2015) Views on internal and external validity in empirical software engineering. In: 2015 IEEE/ACM 37th IEEE international conference on software engineering, IEEE, vol 1, pp 9–19
Chung L, Supakkul S (2006) Capturing and reusing functional and non-functional requirements knowledge: a goal-object pattern approach. In: 2006 IEEE international conference on information reuse and integration, IEEE. pp 539–544
Casamayor A, Godoy D, Campo M (2010) Identification of non-functional requirements in textual specifications: a semi-supervised learning approach. Inf Softw Technol 52(4):436–445
Supakkul, S, Chung, L (2010) Visualizing non-functional requirements patterns. In: 2010 fifth international workshop on requirements engineering visualization, IEEE. pp 25–34
Sadi MH, Yu E (2017) Modeling and analyzing openness trade-offs in software platforms: a goal-oriented approach. In: International working conference on requirements engineering: foundation for software quality. Springer, Cham, pp 33–49
Sadi MH, Yu E (2017) Accommodating openness requirements in software platforms: a goal-oriented approach. In: International conference on advanced information systems engineering. Springer, Cham, pp 44–59
Binkhonain M, Zhao L (2019) A review of machine learning algorithms for identification and classification of non-functional requirements. Expert Syst Appl X(1):100001
Buschmann F, Henney K, Schmidt DC (2007) Pattern-oriented software architecture, on patterns and pattern languages, vol 5 Wiley, New York
Aridor Y, Lange DB (1998) Agent design patterns: elements of agent application design. In: Proceedings of the second international conference on Autonomous agents. pp 108–115
Freeman E, Robson E, Bates B, Sierra K (2008) Headfirst design patterns. O’Reilly Media Inc, Sebastopol
Erl T (2008) SOA design patterns (paperback). Pearson Education, London
Heer J, Agrawala M (2006) Software design patterns for information visualization. IEEE Trans Visual Comput Graph 12(5):853–860
Zhang C, Budgen D (2011) What do we know about the effectiveness of software design patterns? IEEE Trans Softw Eng 38(5):1213–1231
Boehm B, In H (1996) Identifying quality-requirement conflicts. IEEE Softw 13(2):25–35
Monroe RT, Kompanek A, Melton R, Garlan D (1997) Architectural styles, design patterns, and objects. IEEE Softw 14(1):43–52
Babar MA, Gorton I, Jeffery R (2005) Capturing and using software architecture knowledge for architecture-based software development. In: Fifth international conference on quality software (QSIC'05), IEEE. pp 169–176
Farshidi S, Jansen S, van der Werf JM (2020) Capturing software architecture knowledge for pattern-driven design. J Syst Softw 169:110714
Kruchten P (2010) Where did all this good architectural knowledge go? In: European conference on software architecture. Springer, Berlin, pp 5–6
Kazman R, Klein M, Barbacci M, Longstaff T, Lipson H, Carriere J (1998) The architecture trade-off analysis method. In: Fourth IEEE international conference on engineering of complex computer systems, 1998. ICECCS'98. Proceedings, IEEE. pp 68–78
Tang A, Jin Y, Han J (2007) A rationale-based architecture model for design traceability and reasoning. J Syst Softw 80(6):918–934
Dürschmid T, Kang E, Garlan D (2019) Trade-off-oriented development: making quality attribute trade-offs first-class. In: 2019 IEEE/ACM 41st international conference on software engineering: new ideas and emerging results (ICSENIER), IEEE. pp 109–112
Robillard M, Walker R, Zimmermann T (2009) Recommendation systems for software engineering. IEEE Softw 27(4):80–86
Costa B, Pires PF, Delicato FC, Merson P (2016) Evaluating REST architectures—approach, tooling and guidelines. J Syst Softw 112:156–180
Mathijssen M, Overeem M, Jansen S (2020) Identification of practices and capabilities in API management: a systematic literature review. arXiv preprint arXiv:2006.10481
Zimmermann O, Stocker M, Lübke D, Pautasso C, Zdun U (2019) Introduction to microservice API patterns (MAP)
Sadi MH, Yu E (2021) RAPID: a knowledge-based assistant for designing web APIs. Requirements Engineering, pp 1–52
Acknowledgements
The first author would like to thank Prof. Marsha Chechik, and Prof. Steve Easterbrook at the University of Toronto for their supervision throughout the course of the research reported in this paper. She also thanks Prof. John Mylopoulos for providing feedback.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The bulk of the research reported in this article has been conducted when the first author was affiliated with the University of Toronto.
Appendix I: The classification of the collected knowledge resources
Appendix I: The classification of the collected knowledge resources
The knowledge resources used to develop WEBAPIK are listed in Table
1.
The resources are classified based on their type into six categories: B: Book, WL: Weblog, T: Tutorial, WP: White Paper, S: Standard Framework, and R: Research Paper.
The resources are classified based on their focus of study into three categories: DES-TECH: discussing design techniques, NFR: discussing non-functional requirements, EFFECT: discussing trade-offs.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Sadi, M.H., Yu, E. WEBAPIK: a body of structured knowledge on designing web APIs. Requirements Eng 28, 441–479 (2023). https://doi.org/10.1007/s00766-023-00401-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-023-00401-2