/ Security Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Secure Your Mule Application With Spring Java

DZone's Guide to

Secure Your Mule Application With Spring Java

In this article, we'll look at how to use our Mule application to pick up and validate credentials from a custom Java application.

by
Anirban Sen Chowdhary
·
Mar. 21, 17 · Security Zone
Free Resource

Comment (4)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

In a previous article, Secure Your Mule Application With Spring JDBC, I explained how to configure Spring authentication in your Mule application, where we can store and validate the credentials from a database.

Here in this article, we will modify the application and will pick up and validate the credentials from our custom Java application which in turn will pick the credentials from a properties file in the application.

We will be modifying our Mule configuration as shown below:

<spring:beans>
<spring:bean class="com.authentication.CustomAuthenticationProvider" id="customAuthenticationProvider"/>
</spring:beans>

<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider ref="customAuthenticationProvider"/> 
  <!-- picking credentials from Java Class -->
</ss:authentication-manager>
</spring:beans>

<mule-ss:security-manager doc:name="Spring_Security_Provider" name="security">
<mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" />
</mule-ss:security-manager>

<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8082" doc:name="HTTP Listener Configuration" />

<flow name="SpringAuthWithJava">
<http:listener config-ref="HTTP_Listener_Configuration" path="/secure" doc:name="HTTP"/>
<http:basic-security-filter realm="mule-realm"/>
<mule-ss:authorization-filter requiredAuthorities="#{{'ROLE_ADMIN','ROLE_USER'}}"/>
<logger level="INFO" message="## passed security" doc:name="Logger"/>
</flow>

You can see how we have configured,authentication-provider which refers to our Java class:

<ss:authentication-provider ref="customAuthenticationProvider"/>

Now, let's look into our Java class, which will implement the AuthenticationProvider interface that is shown below:

package com.authentication;

import java.util.ArrayList;
import java.util.List;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

@Override
public Authentication authenticate(Authentication authValue) throws AuthenticationException {

String name = authValue.getName().trim();
String secratePass = authValue.getCredentials().toString().trim();

if (name.equals(System.getProperty("user.name")) && secratePass.equals(System.getProperty("user.password"))) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
Authentication auth = new UsernamePasswordAuthenticationToken(name, secratePass, grantedAuths);
return auth;
} else {
throw new BadCredentialsException("Bad Credentials entered");
// Custom Message;
}
}

@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

}

We can see above the user and password are taken from a properties file:

user.name=admin
user.password=system

And validated in our Java class:

name.equals(System.getProperty("user.name")) && secratePass.equals(System.getProperty("user.password"))


That's it! Time to test our application.

Testing Our Application:

When we will deploy the application under Mule server and hit the application URL in a browser, we will get the following dialogue box prompted, and we will start with entering the wrong credential as shown below:

Image title

And soon we will get our custom exception message defined in our Java class in the console below:

Image title

Now, we can enter our actual credentials as below:

Image title

Which will result in the following success message in our console:

Image title

We can add now add our required business logic in the mule flow for further processing.

Now, before we end our blog, what about checking the role of the application client?

Let's change the role of the application client in the below Java class from the role to ROLE_USER:

grantedAuths.add(new SimpleGrantedAuthority("ROLE_DEVELOPER"));


So, as we can see that in our Mule flow, we are validating our role:

<mule-ss:authorization-filter requiredAuthorities="#{{'ROLE_ADMIN','ROLE_USER'}}"/>


Which purely gives permission and authentication to the above roles. So, changing the role to ROLE_USER will lead following exception in the console:

Image title

Which clearly indicates how it controls the role based authentication.

Conclusion:

With the above use case, we can realize easily that it’s very easy to implement the Spring security in our Mule application. The only thing we need to do is to create the custom Java application and configure the user credentials information in the properties file so that the application authentication can be done against those values.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Like This Article? Read More From DZone

Spring Tips: Creating a Spring Security OAuth Auth Service [Video]
Get Started With Spring Boot, OAuth 2.0, and Okta
Spring Security - Custom Authentication

Free DZone Refcard

Java EE Security Essentials
DOWNLOAD
Topics:
mule ,spring authentication ,java ,security

Comment (4)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Opinions expressed by DZone contributors are their own.

Security Partner Resources

CISO’s Guide to Application Security
Webinar: Secure your apps against a deserialization attack. It's not possible, is it?
Traditional Application Security Approaches Are Not Working
Building Security Into Cloud Applications
Software Security Testing: Blending Art and Science
Bring your Java apps up to date with the latest Java release with no code changes
Delivering Security in an Agile World
See how the Agile Security Manifesto can help your firm build secure software in an agile way.
Learn How to Build Security into the DevOps Life Cycle

Security Partner Resources

CISO’s Guide to Application Security
Webinar: Secure your apps against a deserialization attack. It's not possible, is it?
Traditional Application Security Approaches Are Not Working
Building Security Into Cloud Applications
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone