Mule allows you to authenticate requests via endpoints using transport specific or generic authentication methods. It also allows you to control method-level authorisation on your Service Components. This section covers the following topics -

• Configuring the Security Manager
• Configuring Security Filters on Endpoint
• Configuring Encryption Strategies

Once you've read this page the following will also be of interest for people wanting to enable authorisation on Service components or use security technologies such as JAAS, PGP or CAS -

• JAAS Security
• PGP Security
• Acegi Security
• Component Authorization Using Acegi

Security Manager

the Security Manager responsible for Authenticating requests based on one or more Security Providers configured on the security Manager. A Security Provider can authenticate against a variety of repositories such as Ldap, JAAS, database (dao) and third-party security frameworks such as CAS (Yale Central Authentication Service).
Mule has a default security implementation that uses Acegi Security. It provides a number of Security providers out of the box including the ones listed above. Acegi is a Spring-based implementation and also provides interceptors that can enable method-level authorisation on your UMO components. For spring users this means a unified approach to their application security. For Mule users not using Spring, using Acegi will impose no spring requirements on your application code. All security is provided via the Mule security API, so custom implementations can easily be plugged in.

Configuration

The following describes how to configure a single Security provider on Mule, in this case an in-memory DAO.

<mule-configuration>
    <security-manager>
        <security-provider name="memory-dao"
             className="org.mule.extras.acegi.AcegiProviderAdapter">
            <properties>
                <container-property name="delegate" reference="daoAuthenticationProvider"/>
            </properties>
        </security-provider>
    </security-manager>
    ....
</mule-configuration>

Note that the 'delegate' property is a container property meaning we need a container to get it from. Here we configure a Spring Container Context to load our Security Providers from. you can set multiple security-provider elements.

<container-context
    className="org.mule.extras.spring.SpringContainerContext">
    <properties>
        <property name="configFile" value="securityContext.xml"/>
    </properties>
</container-context>

The Spring Acegi configuration is where the real Security Provider configuration occurs.

<beans>
    <bean id="daoAuthenticationProvider"
 class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="authenticationDao">
            <ref bean="inMemoryDaoImpl"/>
        </property>
    </bean>

    <bean id="inMemoryDaoImpl"
    class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
        <property name="userMap">
            <value>
      ross=ross,ROLE_ADMIN
      anon=anon,ROLE_ANONYMOUS
            </value>
        </property>
    </bean>
</beans>

Here we have a static DAO Security Provider that allows user credentials to be set in memory with two users; ross and anon.

Encryption strategies

The Security Manager can be configured with one or more Encryption strategies that can then be used by encryption transformers, Security filters or secure Transport providers such as ssl or https. These Encryption strategies can greatly simplify configuration for secure messaging as they can be shared across components.

<security-manager>
    <encryption-strategy name="PBE"
    className="org.mule.impl.security.PasswordBasedEncryptionStrategy">
        <properties>
            <property name="password" value="mule"/>
        </properties>
    </encryption-strategy>
</security-manager>

This strategy can then be referenced by other components in the system such as filters or transformers.

<transformers>
    <transformer name="EncryptedToByteArray"
        className="org.mule.transformers.encryption.DecryptionTransformer">
        <properties>
            <property name="strategyName" value="PBE"/>
        </properties>
    </transformer>
</transformers>

Security Filters

Security filters can be configured on an object to either authenticate inbound requests or attach credentials to outbound requests.

Endpoint Security Filter

As the name suggests, these types of filters are configured on endpoints. To configure a Http Basic Auth filter on a http endpoint use the following -

<endpoint address="http://localhost:4567">
    <security-filter
    className="org.mule.extras.acegi.filters.http.HttpBasicAuthenticationFilter">
        <properties>
            <property name="realm" value="mule-realm"/>
        </properties>
    </security-filter>
</endpoint>

When a request is received the Authentication header will be read from the request and authenticated against all Security Providers on the Security Manager. If you only want to validate on certain ones you can supply a comma-separated list of Security Provider names.

<endpoint address="http://localhost:4567">
    <security-filter useProviders="default,another"
    className="org.mule.extras.acegi.filters.http.HttpBasicAuthenticationFilter"/>
</endpoint>