Spring Security in Mule

  • Written By WHISHWORKS
  • 13/11/2015

Mule provides different options for securing mule applications. If the requirement is to secure Mule based HTTP/REST endpoints then leveraging Spring Security with Mule is an option which can be considered. This is one of the scenarios which is discussed in this blog.

Spring security mainly focuses around the two areas of security i.e. authentication and authorization.

“Authentication” is the process of identifying a user and assuring that the user is actually the same which he/she claims for.  A typical example for this use case is the user login in the application. Consider the user authentication against the Database/LDAP system. Apart from this, Spring also provides various encryption mechanisms for securing user password.

“Authorization” is the process wherein it allows a user to access a certain resource/method with the certain role that defines his/her allowed actions on the resource/method. Consider the user authorization against Database/LDAP system for the specific role/group.

By leveraging Spring Security in Mule the authentication and authorization of mule flows can be achieved. Spring based interceptors (MethodSecurityInterceptor and custom interceptors) also can be considered for pre-validating the user identity before invoking the require endpoint.

Spring Security can also secure method invocations using Spring AOP—proxying objects and applying advice that ensures user has proper authority to invoke secured methods.

AuthenticationManager in Spring processes the authentication request. It has various implementations which can be considered depending on the requirement. AuthenticationManager iterates through a list of AuthenticationProviders. Authentication providers can be configured with LDAP, DAO/JDBC, in-memory provider. If any of these authentication providers return an authentication object response, user is authenticated successfully. Authorization is done with the help of various implementations of AccessDecisionManager.

Spring security filters can be used to authenticate inbound requests or attach credentials to outbound requests. It can also be used to configure an HTTP basic authorization filter on an HTTP connector.

Spring security in Mule can be configured by adding security reference schema as given below.

xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core
http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http
http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/ee/tracking
http://www.mulesoft.org/schema/mule/ee/tracking/current/mule-tracking-ee.xsd
http://www.mulesoft.org/schema/mule/spring-security
http://www.mulesoft.org/schema/mule/spring-security/3.1/mule-spring-security.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd

References

https://docs.mulesoft.com/mule-user-guide/v/3.7/configuring-the-spring-security-manager

https://docs.mulesoft.com/mule-user-guide/v/3.7/security-manager-configuration-reference

https://docs.mulesoft.com/mule-user-guide/v/3.7/component-authorization-using-spring-security

If you would like to find out more about how APIs could help you make the most out of your current infrastructure while enabling you to open your digital horizons, do give us a call at +44 (0)203 475 7980 or email us at marketing@whishworks.com

Other useful links:

Mule 2 to Mule 3 Migration Case Study

APIs in the IoT

5 challenges with Systems Integration

Latest Insights

WHISHWORKS - MuleSoft API integration for Universities
Blogs

API-led connectivity for Universities

An architectural approach to API-led connectivity that enables hybrid, multi-modal learning and teaching experiences for universities.

Salesforce FSC - Leads and Referrals
Blogs

Salesforce FSC – Leads and Referrals

In this blog we look at how Leads and Referrals work in Financial Services Cloud and how they’d make sense within a banking environment.

evented APIs
Blogs

What are evented APIs?

We can think of an evented APIs as the fabric that binds and integrates all the applications in an event-driven architecture.