Ever wondered how you can provide basic security in Mule 4 without using API Manager.. Here is the solution!!
This tutorial will be majorly focusing on applying Basic Authorization without using API Manager. This involves use of Basic Security filter and Authorization filter. Advantage of this approach is its highly cost effective.
Basic Security filter is an authentication system built into the HTTP protocol
The Basic Authentication – intercepts the request to the protected resource and looks for the Authorization HTTP header. It extracts the username and password encoded in Base64 and then requests the configured instance to determine if the user credentials are correct in the provided bean file. Till Basic Security all incoming requests will be validated for the username-password combination.
This approach facilitates below:
- It is designed to let you manage security of applications through user credentials.
- No Client ID creation or token generation required
- Cost effective way for basic authentication
- Custom error message and exceptional handling is possible in case of authentication failure
Basic authentication works for username and password. Role based validation will be done at Authorization filter level and Authorize users against a required set of authorities.
Spring Bean authentication manager allows us to manage user services with multiple roles.
With below example you may use simple user or encrypted admin to create and establish security through mule.
Spring module configuration – Spring Config and Spring Security manager, to provide credential validation and delegate reference
Both Spring configuration needs to populated in a specific way to link to the bean xml file.
Basic security filter allows to retrieve the http attributes. Then it needs to be passed to Authorization filter.
Realm is an optional attribute required by some servers. You only need to set this attribute if required by the server on other hand.
Authorization filter mapping is little critical. Please make sure all the dependencies are version synced.
Required authorities can have as many roles as are defined in bean xml file to process.
The Spring module adds support for a filter that fails if authentication cannot be validated using the Mule Security Manager
If the request is authenticated successfully, Mule retrieves the username and uses it in the Spring Authorization filter to search for that user and to try to authorize the request against the authority ROLE_ADMIN.