Spring Security in Mule

13.11.2015

Mule provides different options for securing mule applications. If the requirement is to secure Mule based HTTP/REST endpoints then leveraging Spring Security with Mule is an option which can be considered. This is one of the scenarios which is discussed in this blog.

Spring security mainly focuses around the two areas of security i.e. authentication and authorization.

"Authentication" is the process of identifying a user and assuring that the user is actually the same which he/she claims for.  A typical example for this use case is the user login in the application. Consider the user authentication against the Database/LDAP system. Apart from this, Spring also provides various encryption mechanisms for securing user password.

"Authorization" is the process wherein it allows a user to access a certain resource/method with the certain role that defines his/her allowed actions on the resource/method. Consider the user authorization against Database/LDAP system for the specific role/group.

By leveraging Spring Security in Mule the authentication and authorization of mule flows can be achieved. Spring based interceptors (MethodSecurityInterceptor and custom interceptors) also can be considered for pre-validating the user identity before invoking the require endpoint.

Spring Security can also secure method invocations using Spring AOP—proxying objects and applying advice that ensures user has proper authority to invoke secured methods.

AuthenticationManager in Spring processes the authentication request. It has various implementations which can be considered depending on the requirement. AuthenticationManager iterates through a list of AuthenticationProviders. Authentication providers can be configured with LDAP, DAO/JDBC, in-memory provider. If any of these authentication providers return an authentication object response, user is authenticated successfully. Authorization is done with the help of various implementations of AccessDecisionManager.

Spring security filters can be used to authenticate inbound requests or attach credentials to outbound requests. It can also be used to configure an HTTP basic authorization filter on an HTTP connector.

Spring security in Mule can be configured by adding security reference schema as given below.

xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core
http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http
http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/ee/tracking
http://www.mulesoft.org/schema/mule/ee/tracking/current/mule-tracking-ee.xsd
http://www.mulesoft.org/schema/mule/spring-security
http://www.mulesoft.org/schema/mule/spring-security/3.1/mule-spring-security.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd

References

https://docs.mulesoft.com/mule-user-guide/v/3.7/configuring-the-spring-security-manager

https://docs.mulesoft.com/mule-user-guide/v/3.7/security-manager-configuration-reference

https://docs.mulesoft.com/mule-user-guide/v/3.7/component-authorization-using-spring-security

If you would like to find out more about how APIs could help you make the most out of your current infrastructure while enabling you to open your digital horizons, do give us a call at +44 (0)203 475 7980 or email us at marketing@whishworks.com

Other useful links:

Mule 2 to Mule 3 Migration Case Study

APIs in the IoT

5 challenges with Systems Integration

Recent Posts