3. MULESOFT –Enterprise SecurityMULESOFT –Enterprise Security
ModulesModules
Mule Secure Token Service (STS) OAuth 2.0a Provider (Its part of Enterprise edition)
Security for REST service provider/consumer (for API which we developing using MULE
API led connectivity)
3
Ensure that the API is properly
protected
by right authentication / authorization
schemes
Autherization &
Authentication
• SAML
• OAuth 2
• WS-Security
• Ping federate
4. MULESOFT –Enterprise SecurityMULESOFT –Enterprise Security
ModulesModules
Each layer has specific security requirements in API approach
Experience: This layer needs to be protected by inbound security
Process: In this layer, fine grain security is applied as to who has access to which
process API
System Connectivity: This layer need to be protected by outbound security
4
5. MULESOFT –Enterprise SecurityMULESOFT –Enterprise Security
ModulesModules
5
Process APIs
Process Level Fine Grained Security
Experience APIs
Inbound Security
(Authentication, Authorization and Data Security)
API Manager Security policies
System APIs
Outbound Security
(Authentication, Authorization and Data Security)
WEB/Mobile/Des
ktop
On premise /Cloud applications
6. Securing API in Anypoint platformSecuring API in Anypoint platform
Combination of HTTPS and OAuth 2.0 are best practice for Web API security
Basic Authentication (HTTPS)
Http-security-filter knows how to decipher the incoming Base64 encoded username
and password before passing them to the security manager.. Failure to
authenticate will result in a 403 sent back to the client.
6
7. Securing API in Anypoint platformSecuring API in Anypoint platform
OAuth 2.0
The oauth-provider config exposes a url over which it receives requests for a token in
exchange for credentials (client id, secret, username and password). It also passes
the username and password to the security-manager before proceeding to issue a
token.
Every invocation of the API should be protected with an oauth-provider validate
message processor. This will check for an incoming token and verify that it is
valid, still within its expiration window and allows the client to actually invoke
this flow. Tokens are issued based on requested scopes. The validation takes scope
into account when making its decision. If validation fails, a 403 is returned to the
client. If it succeeds, the flow continues to execute normally.
7