Contact Us 1-800-596-4880

Configuring the Spring Security Manager

Mule runtime engine version 3.8 reached its End of Life on November 16, 2021. For more information, contact your Customer Success Manager to determine how to migrate to the latest Mule version.

Use Spring Security 3.0 as a Security Manager inside Mule.

You can use any of the library’s security providers such as JAAS, LDAP, CAS (Yale Central Authentication service), and DAO. For more information on the elements you can configure for a security manager, see Security Manager Configuration Reference.

Single Security Provider Example

The following example illustrates how to configure a single security provider on Mule, in this case an in-memory database of users. To configure the provider, we set up a <user-service> element and the <authentication-manager> to which Mule delegates.

<mule xmlns:tls="http://www.mulesoft.org/schema/mule/tls" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:tracking="http://www.mulesoft.org/schema/mule/ee/tracking" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
    xmlns:spring="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
    xmlns:ss="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/ee/tracking http://www.mulesoft.org/schema/mule/ee/tracking/current/mule-tracking-ee.xsd
http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/current/mule-spring-security.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.mulesoft.org/schema/mule/tls http://www.mulesoft.org/schema/mule/tls/current/mule-tls.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/https http://www.mulesoft.org/schema/mule/https/current/mule-https.xsd">

  <spring:beans>
    <ss:authentication-manager alias="authenticationManager">
      <ss:authentication-provider>
        <ss:user-service id="userService">
          <ss:user name="user" password="password" authorities="ROLE_ADMIN" />
          <ss:user name="anon" password="anon" authorities="ROLE_ANON" />
        </ss:user-service>
      </ss:authentication-provider>
    </ss:authentication-manager>
  </spring:beans>

  <mule-ss:security-manager>
      <mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" />
  </mule-ss:security-manager>

  <http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8081" doc:name="HTTP Listener Configuration" />

  <flow name="SpringExample">
    <http:listener config-ref="HTTP_Listener_Configuration" path="/" doc:name="HTTP"/>
      <logger level="INFO" message="## received" doc:name="Logger"/>
      <http:basic-security-filter realm="mule-realm"/>
    <logger level="INFO" message="## passed security" doc:name="Logger"/>
  </flow>
</mule>

Adding Spring Security References

To make Spring Security work, you need to add XML schema declarations to your Mule app. Notice the above example includes the following references inside the root XML element:

xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
    xmlns:ss="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/ee/tracking http://www.mulesoft.org/schema/mule/ee/tracking/current/mule-tracking-ee.xsd
http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/3.1/mule-spring-security.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd

Make sure you include these references as they are important and Studio does not add them automatically.

Security Filters

Security filters can be configured on an object to either authenticate inbound requests or attach credentials to outbound requests. For example, to configure an HTTP basic authorization filter on an HTTP connector, you would use the following connector security filter:

<mule-ss:http-security-filter realm="mule-realm"/>

When a request is received, the authentication header is read from the request and authenticated against all security providers on the Security Manager. If you only want to validate on certain providers, you can supply a comma-separated list of security provider names.

<mule-ss:http-security-filter realm="mule-realm" securityProviders="default,another"/>

The realm is an optional attribute required by some servers. You only need to set this attribute if required by the server on the other end.