Secure Your Mule Application With Spring Java
Secure Your Mule Application With Spring Java
In this article, we'll look at how to use our Mule application to pick up and validate credentials from a custom Java application.
Join the DZone community and get the full member experience.
Join For FreeDiscover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.
In a previous article, Secure Your Mule Application With Spring JDBC, I explained how to configure Spring authentication in your Mule application, where we can store and validate the credentials from a database.
Here in this article, we will modify the application and will pick up and validate the credentials from our custom Java application which in turn will pick the credentials from a properties file in the application.
We will be modifying our Mule configuration as shown below:
<spring:beans>
<spring:bean class="com.authentication.CustomAuthenticationProvider" id="customAuthenticationProvider"/>
</spring:beans>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider ref="customAuthenticationProvider"/>
<!-- picking credentials from Java Class -->
</ss:authentication-manager>
</spring:beans>
<mule-ss:security-manager doc:name="Spring_Security_Provider" name="security">
<mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<http:listener-config name="HTTP_Listener_Configuration" host="localhost" port="8082" doc:name="HTTP Listener Configuration" />
<flow name="SpringAuthWithJava">
<http:listener config-ref="HTTP_Listener_Configuration" path="/secure" doc:name="HTTP"/>
<http:basic-security-filter realm="mule-realm"/>
<mule-ss:authorization-filter requiredAuthorities="#{{'ROLE_ADMIN','ROLE_USER'}}"/>
<logger level="INFO" message="## passed security" doc:name="Logger"/>
</flow>You can see how we have configured,authentication-provider which refers to our Java class:
<ss:authentication-provider ref="customAuthenticationProvider"/>Now, let's look into our Java class, which will implement the AuthenticationProvider interface that is shown below:
package com.authentication;
import java.util.ArrayList;
import java.util.List;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authValue) throws AuthenticationException {
String name = authValue.getName().trim();
String secratePass = authValue.getCredentials().toString().trim();
if (name.equals(System.getProperty("user.name")) && secratePass.equals(System.getProperty("user.password"))) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
Authentication auth = new UsernamePasswordAuthenticationToken(name, secratePass, grantedAuths);
return auth;
} else {
throw new BadCredentialsException("Bad Credentials entered");
// Custom Message;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}We can see above the user and password are taken from a properties file:
user.name=admin
user.password=systemAnd validated in our Java class:
name.equals(System.getProperty("user.name")) && secratePass.equals(System.getProperty("user.password")) That's it! Time to test our application.
Testing Our Application:
When we will deploy the application under Mule server and hit the application URL in a browser, we will get the following dialogue box prompted, and we will start with entering the wrong credential as shown below:
And soon we will get our custom exception message defined in our Java class in the console below:
Now, we can enter our actual credentials as below:
Which will result in the following success message in our console:
We can add now add our required business logic in the mule flow for further processing.
Now, before we end our blog, what about checking the role of the application client?
Let's change the role of the application client in the below Java class from the role to ROLE_USER:
grantedAuths.add(new SimpleGrantedAuthority("ROLE_DEVELOPER"));So, as we can see that in our Mule flow, we are validating our role:
<mule-ss:authorization-filter requiredAuthorities="#{{'ROLE_ADMIN','ROLE_USER'}}"/>Which purely gives permission and authentication to the above roles. So, changing the role to ROLE_USER will lead following exception in the console:
Which clearly indicates how it controls the role based authentication.
Conclusion:
With the above use case, we can realize easily that it’s very easy to implement the Spring security in our Mule application. The only thing we need to do is to create the custom Java application and configure the user credentials information in the properties file so that the application authentication can be done against those values.
Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.
Like This Article? Read More From DZone
Opinions expressed by DZone contributors are their own.
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}