<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="admin" password="admin" authorities="ROLE_ADMIN" />
<ss:user name="joe" password="secret" authorities="ROLE_ADMIN" />
<ss:user name="anon" password="anon" authorities="ROLE_ANON" />
<ss:user name="user" password="password" authorities="ROLE_ANON" />
<ss:user name="ross" password="ross" authorities="ROLE_ANON" />
<ss:user name="marie" password="marie" authorities="ROLE_ANON" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
Component Authorization Using Spring Security
Standard Support for Mule 4.1 ended on November 2, 2020, and this version of Mule reached its End of Life on November 2, 2022, when Extended Support ended. Deployments of new applications to CloudHub that use this version of Mule are no longer allowed. Only in-place updates to applications are permitted. MuleSoft recommends that you upgrade to the latest version of Mule 4 that is in Standard Support so that your applications run with the latest fixes and security enhancements. |
Learn how to configure authorization using Spring Security features on your Mule components, so that users with different roles can only invoke certain methods.
Configure Spring Security Authentication Manager
The Spring Security interface Authentication Manager is responsible for passing requests through a chain of Authentication Provider objects. To secure calls to flow components, you must add the configured authenticationManager
to the application context.
The following example defines roles with different levels of access to protected processors:
The following example references the previously defined authenticationManager
to allow only users with ROLE_ADMIN
roles in the requiredAuthorities
field to access the operation:
<spring:security-manager>
<spring:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" />
</spring:security-manager>
<flow name="protectedFlow">
<http:listener doc:name="Listener" config-ref="HTTP_Listener_config" path="/" />
<http:basic-security-filter doc:name="Basic security filter" realm="mule" />
<spring:authorization-filter requiredAuthorities="ROLE_ADMIN" />
<ee:transform doc:name="Transform Message">
<ee:message>
<ee:set-payload><![CDATA[%dw 2.0
output application/json
---
{
"status": "ok"
}]]>
</ee:set-payload>
</ee:message>
</ee:transform>
</flow>
Configure Secure Components in Asynchronous Systems
Spring Security is useful for asynchronous systems because to set the authentication on more than one thread you have to add a security property to the security provider.
In the following example, the value MODE_GLOBAL
is the security property added:
<mule-ss:security-manager>
<mule-ss:delegate-security-provider name="memory-dao" delegate-ref="authenticationManager">
<mule-ss:security-property name="securityMode" value="MODE_GLOBAL"/>
</mule-ss:delegate-security-provider>
</mule-ss:security-manager>