Over a million developers have joined DZone.

Secure Your Mule Application With Spring Java

DZone's Guide to

Secure Your Mule Application With Spring Java

In this article, we'll look at how to use our Mule application to pick up and validate credentials from a custom Java application.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

In a previous article, Secure Your Mule Application With Spring JDBC, I explained how to configure Spring authentication in your Mule application, where we can store and validate the credentials from a database.

Here in this article, we will modify the application and will pick up and validate the credentials from our custom Java application which in turn will pick the credentials from a properties file in the application.

We will be modifying our Mule configuration as shown below:

<spring:bean class="com.authentication.CustomAuthenticationProvider" id="customAuthenticationProvider"/>

<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider ref="customAuthenticationProvider"/> 
  <!-- picking credentials from Java Class -->

<mule-ss:security-manager doc:name="Spring_Security_Provider" name="security">
<mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" />

<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8082" doc:name="HTTP Listener Configuration" />

<flow name="SpringAuthWithJava">
<http:listener config-ref="HTTP_Listener_Configuration" path="/secure" doc:name="HTTP"/>
<http:basic-security-filter realm="mule-realm"/>
<mule-ss:authorization-filter requiredAuthorities="#{{'ROLE_ADMIN','ROLE_USER'}}"/>
<logger level="INFO" message="## passed security" doc:name="Logger"/>

You can see how we have configured,authentication-provider which refers to our Java class:

<ss:authentication-provider ref="customAuthenticationProvider"/>

Now, let's look into our Java class, which will implement the AuthenticationProvider interface that is shown below:

package com.authentication;

import java.util.ArrayList;
import java.util.List;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;

public class CustomAuthenticationProvider implements AuthenticationProvider {

public Authentication authenticate(Authentication authValue) throws AuthenticationException {

String name = authValue.getName().trim();
String secratePass = authValue.getCredentials().toString().trim();

if (name.equals(System.getProperty("user.name")) && secratePass.equals(System.getProperty("user.password"))) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
Authentication auth = new UsernamePasswordAuthenticationToken(name, secratePass, grantedAuths);
return auth;
} else {
throw new BadCredentialsException("Bad Credentials entered");
// Custom Message;

public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);


We can see above the user and password are taken from a properties file:


And validated in our Java class:

name.equals(System.getProperty("user.name")) && secratePass.equals(System.getProperty("user.password")) 

That's it! Time to test our application.

Testing Our Application:

When we will deploy the application under Mule server and hit the application URL in a browser, we will get the following dialogue box prompted, and we will start with entering the wrong credential as shown below:

Image title

And soon we will get our custom exception message defined in our Java class in the console below:

Image title

Now, we can enter our actual credentials as below:

Image title

Which will result in the following success message in our console:

Image title

We can add now add our required business logic in the mule flow for further processing.

Now, before we end our blog, what about checking the role of the application client?

Let's change the role of the application client in the below Java class from the role to ROLE_USER:

grantedAuths.add(new SimpleGrantedAuthority("ROLE_DEVELOPER"));

So, as we can see that in our Mule flow, we are validating our role:

<mule-ss:authorization-filter requiredAuthorities="#{{'ROLE_ADMIN','ROLE_USER'}}"/>

Which purely gives permission and authentication to the above roles. So, changing the role to ROLE_USER will lead following exception in the console:

Image title

Which clearly indicates how it controls the role based authentication.


With the above use case, we can realize easily that it’s very easy to implement the Spring security in our Mule application. The only thing we need to do is to create the custom Java application and configure the user credentials information in the properties file so that the application authentication can be done against those values.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

mule ,spring authentication ,java ,security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}