Mule API Policy enforcement
In the age of APIs, API Policy enforcement is a crucial part of any API platform – and in this post, we are going to cover how to do Mule API policy enforcement.
Mule options for Policy enforcement
When Mule entered the API world, there was a need for policy enforcement to secure the exposed API to the external world. Mulesoft launched API Gateway servers to achieve the policy enforcement requirement – which can be thought as mule ESB containers with added policy enforcement capabilities.
Advantages of API Gateway:
- If you have mule running within your infrastructure, you can deploy API Gateway onto the DMZ for the APIs exposed outside of your network – and only authorized requests will be forwarded from API Gateway to your back end implementation.
- Clear separation of concerns – Policy enforcement vs API implementation
Disadvantages of API Gateway:
- You need an additional server to manage and maintain your APIs in your infrastructure
- If you are deploying the code to cloudhub (anypoint platform), then you would require one more application to run as a proxy (which means additional vCores and additional $$$)
- If you ever hit the API implementation server directly, you will be able to access the API implementation without any policy enforcement (potential security threat or security guidelines violation)
Mule ESB v3.8.0 and above:
To circumvent the limitations of API Gateway, Mulesoft enhanced the capabilities of the Mule ESB since 3.8.0 and deprecated API Gateway.
Apparent benefits compared to the previous architecture are:
- One server and code to manage and maintain your implementations
- If deploying to cloudhub, no need for additional proxy implementation
- No security loop hole to directly call the implementation bypassing the policies
Let’s take a look at how we will do policy enforcement using Mule 3.8.0 and above.
Create an API Specification
If you have already created an API or have an API in mind, you can skip this step. If not proceed to follow the steps in this section.
- Firstly, create a simple API to which we will apply policy. To do this, login to Anypoint Platform. From Left navigation bar select Design Center and Click create API Specification
- Give project name as “demo”. Then add the contents of https://docs.mulesoft.com/apikit/_attachments/api.raml to it and Save(Ctr+S).
Create Project in Studio from an API Spec
Now that we created the RAML Definition, we are going to import it and build the project.
- Open Anypoint Studio. Go to File > New > Mule Project
- Project Name: apipolicyenforcement
- Runtime: Mule Server 3.8.5 EE
- Check Add APIkit components and select Design Center
- You will be asked to Login to Anypoint Platform.
- It will list all the APIs that are available. Select your Project name that you want to implement click Ok.
- Finally, click Finish. Once it is finished you will see the flows get generated as usual
Add Autodiscovery Global Element to your project
- In Project Explorer, select the app. For example, select demo.xml in src/main/app that you imported in the previous step.
- Let’s create a global element to declare the details of the API version you want Anypoint Platform to discover.
a. In API Name, type the name of your API. for example, “apipolicyenforcement”.
b. In API Version, type the version identifier, for example, 1.0.
c. In Flow Name, select the name of the flow in the API from the drop-down. Select the flow that you want to which you want to direct requests. For example, select demo-main, the Demo API main flow.
d. Check the option to automatically create an API if it doesn’t exist.
e. In APIkit Router Configuration , click demo-config from the drop-down.
f. Click OK to validate the changes.
g. Save your project.
Setup Studio for Autodiscovery
Auto discovery automatically links the Mule application and API manager. Making it very easy to manage a Mule API. In this step, we configure Studio in order to automatically register your application to Anypoint Platform (so the Mule Agent in the deployed run time communicates with
API Manager, saying “hey! I just deployed the implementation of this particular API!”)
- In a browser, log into Anypoint Platform as an administrator, click Access Management.
Select Organization . Select your Organization from the list.
The client ID and client secret appear.
- From Anypoint Studio, go to the preferences menu, select Anypoint Studio > Preferences > Anypoint Studio > Anypoint Platform for APIs. The Preferences dialog for Anypoint Platform for APIs appears
- Copy the client ID and client secret from above step to Client Credentials .
This action pairs Mule Runtime with your Anypoint Platform organization.
- Click Validate to verify that the pairing succeeds. Then click OK.
Deploy to Runtime Manager
- Right-click the project name → Deploy to Anypoint Platform → Cloud
- If it asks to choose an environment, choose Sandbox
- Change the deployment name to apipolicyenforment-v1
- Change the Worker Size to 0.1vCores
- Click Deploy Application. Choose the Environment to deploy. for example “Sandbox”
- Wait to the API to be deployed. (You can now close that window). Once deployed and running, you can check the API is running by calling: http://<<application-name>>.cloudhub.io/api/sales.
- In Runtime manager of Anypoint Platform you can see the application as started.
- If the deployment is successful, In your API Manager you should see your API status as Managed.
- Click on “configure endpoint” present in API status. check the Implementation URI and click Save.
Test API Policy usage
- Try a simple GET request on the application URL to see that you are able to access the application without any policies applied
In API Manager, apply policies to the API
- For simplicity, let’s take Simple Security manager and click Configure policy.
Enter username and password of your choice.
- Now add HTTP Basic Authentication policy which uses the simple security manager, by adding another policy
- Select apply configuration to all API methods & resources
- In policies tab you can see applied policies
- Retry the postman test (or from browser if you want to) to get the resources again. Please give it a couple of seconds (or even a minute) for the policy to sync with the implementation.
You should see an error as shown below
- If you enter Basic Authentication credentials, you should see the request go through.