Handling NFRs for the API through API policies (Custom Policies) -Part 2 | MuleSoft Mysore Meetup #26

February 18, 2023
Mysore MuleSoft Meetup
Part 2 - Handling NFRs of the API through API
Custom Policies

Safe Harbour Statement
● Both the speaker and the host are organizing this meet-up in individual capacity only.
We are not representing our companies here.
● This presentation is strictly for learning purposes only.
● Organizer/Presenter do not hold any responsibility that same solution will work for
your business requirements.
● This presentation is not meant for any promotional activities.
3

A recording of this meetup will be uploaded to events page within 24 hours
Questions can be submitted/asked at any time in the Chat/Questions and Answers Tab
Make it more Interactive!!!
Give us feedback! Rate this meetup session by filling feedback form at the end of the day
We Love Feedbacks!!! Its Bread & Butter for Meetup
Housekeeping
4

Introduction
● About the Organizers
5
Shubham Chaurasia
Billennium India
Pro Integration Developer
A SHOW OF HANDS:
Who is new to this Meetup?
Giridhar Meka
Sr. Technical Architect
linkedin.com/in/giridharmeka
linkedin.com/in/shubhamchaurasia1

6
Vijayaraghavan Venkatadri
Integration Architect
Introduction
● About the Speaker
✔ Working as an Integration Architect at Ernst & Young GDS
✔ 11+ years of experience in Integration and API products in
Solutioning & Design
✔ Spanning across MuleSoft, IBM stack & Cloud technologies
✔ MuleSoft Mentor & Speaker in the MuleSoft Community
✔ 6x certified in IBM & 2x certified in MuleSoft

Agenda
● Introductions
o Summary of Session One (Part 1 - Recap)
■ API’s NFR & Handling NFR
■ API Out of the Box Policies
■ API Policy Enforcement
o Handling NFR using Custom Policy
o Develop, Package, Publish & Manage a Custom Policy
o Use Case : Creating a Custom policy
● Demo
● Q & A
7

• Non-functional requirements define ground rules of how the implementation of the functional
requirements guarded and performed.
○ When it comes to API-First approach design, the NFR defines how the Web API
implementation should perform and react upon the Web API invocation by Web API client.
○ NFRs seeks below segments encapsulated in an API implementation such as performance,
security, compliance, consistency & reliability.
Summary of Session One (Part 1- Recap)
8
API’s Non-Functional Requirements
Handling Non-Functional Requirements
High Performant Runtime
Plane
API Design API Policy
Defines the scalability and
reliability by increasing the
throughput and processing time
of an API
Increases the consistency in delivering the data
and also increase the throughput, prevent data
loss being persistent
API Policy plays vital role in
handling the NFR to define the
security, compliance, Quality of
your service and operations
For example: CloudHub
For example: server-side caching,
asynchronous reliable implementations, etc.,
For example: Out-of-the-Box
policies, custom policies

✔ Compliance
○ Client ID enforcement
○ Cross-Origin Resource Sharing (CORS)
✔ Security
○ HTTP Basic Authentication API policies
■ Basic Authentication - LDAP
■ Basic Authentication - Simple
○ IP-based API Policies
■ IP blocklist
■ IP allowlist
9
Out of the Box (OOTB) API Policies

○ Threat Protection API Policies
■ JSON threat protection
■ XML threat protection
○ OAuth 2.0 access token enforcement API policies
■ OAuth 2.0 access token enforcement using Mule OAuth Provider
■ OpenAM access token enforcement
■ PingFederate access token enforcement
■ OpenId Connect access token enforcement
○ JSON Web Token
✔ Quality of Service - QoS
○ SLA-based API policies
■ Rate Limiting - SLA-based 10

○ Non-SLA-based API Policies
■ Rate Limiting
■ Spike Control
■ HTTP Caching
✔ Transformation
○ HTTP header manipulation API policies
■ Header Injection
■ Header Removal
✔ Troubleshooting
○ Message Logging
11

12
API Policy Enforcement
Mule Application
Non-Mule Application
(Non-Kubernetes cluster)
Non-Mule Application
(Kubernetes cluster)
On Anypoint Platform, the
embedded Mule runtime
enforce the API policies by
acquiring the API policy
enforcement capability within it
Any non-mule application requires
API proxies which can enable API
policy enforcement. API Proxies are
templated mule applications that
can be auto-generated by Anypoint
API manager. It is deployed to Mule
runtime which is typically called as
API Gateway
Anypoint Service Mesh enables API
policy enforcement which can be
installed by customers into their
customer-hosted Kubernetes
cluster. It builds on Istio, hence it is
required in Kubernetes cluster
before installing Anypoint Service
Mesh.
API policies will be
downloaded in Runtime from
API Manager control plane
using API Auto-discovery
Web API client should invoke API
proxies. Upon enforcing API
policies, the call will be routed to
actual API implementation
Web API clients can invoke Web
API implementation directly in which
Istio/Envoy directly intercept the
invocation and enforce API policy.

✔ Custom policy as the name denotes is a custom-made policy specific to the requirement which
you cannot fulfill through out of the box policies.
✔ These custom policies can developed, published as an asset and apply to the API in the API
Managers.
✔ Ideally a custom policy made of two important configuration files
○ Policy Configuration File: It is a YAML file where the policy parameters and metadata are
defined and subsequently rendered into User Interface field sections.
○ Policy Implementation File: It is a XML file where the actual custom policy logics
implemented and created a deployable JAR file.
Handling Non-Functional Requirements
✔ Custom Policy can accommodate both Functional and Non-Functional requirements. But is
predominantly intended for handling non-functional requirements such as
○ Checking Compliance
○ Additional Authentication
○ Custom Logging, etc..
Custom Policy
13

⮚ http-policy:proxy - The definition of a policy starts with this xml element. This element has an
argument that states the policy name.
⮚ http-policy:source - The element contains the instruction to execute and also can perform pre and
post processing activities before and after the HTTP listener event.
⮚ http-policy:execute - The element requires to execute actual Mule application or other policy.
▪ The instruction before the execute element will execute before executing Mule event processing.
▪ The instruction after the execute element will execute after executing Mule event processing.
Policy Implementation File - XML
14

An API having two custom policies in the order of authentication and logging
15
Execution Order
When an Web API invocation happens, the transaction route will take place in below pattern
★ Authenticate
★ Log-request
★ Flow execution
★ Log-response

✔ Like Mule application, custom policies also can use extension to make use of mule core capabilities.
✔ Example: mule-http-policy-transform-extension - is used to simplifies the modification of HTTP requests
and responses that go through the different policies.
✔ Also, custom code incorporation is allowed by using Mule plugin programmed using java or XML SDK.
16
Using Extension
✔ Applying API policies for the outbound calls i.e. outgoing HTTP calls within Mule application.
✔ http-policy:operation - is used to inject instructions before the Mule processing reaches the HTTP
requester.
Outbound Policies
Error Handling
✔ Mule 4 can handle errors thrown by API policy. Error handling can be done try and error-handler
elements.
✔ Once an error is caught by an error-handler, the error is either, propagated up the Mule Event
processing chain, or handled, where normal Mule event process execution continues

✔ Handlebars are simple templating framework which is required to control the execution of the
instructions within the Custom Policy.
✔ The execution will happen only when the appropriate criterias are selected.
○ It will access configuration values from YAML config file
○ Conditionally decides which section of the policy are applied depending on the selection criteria
○ Supports multiple operators
17
Handlebars

✔ Mule 4 uses this YAML file to store metadata and user parameters.
These parameters rendered in UI.
✔ This flexible design to allows policy to work for multiple API.
Policy Configuration File - YAML
18
Parameters Type
✔ Depending on the type of the parameter, the UI will render,
such as:
○ text boxes
○ radio buttons
○ checkboxes

✔ Mule 4 requires below steps for publishing a full-fledged custom policy
➢ Develop the policy
➢ Package the policy
➢ Upload the resulting policy assets to Exchange
➢ Apply the policy to any API through API Manager
Publishing Custom Policy
19
Develop the policy
✔ The first step to develop a custom policy consists in setting up a project with the required files.
✔ Maven archetype is the easiest way to gather required files in the project
✔ There are four files created and needed for a working policy
➢ pom.xml
➢ mule-artifact.json
➢ custom-policy.yaml
➢ template.xml

Publishing Custom Policy
20
Packaging the policy
✔ Use Maven plugin to package the policy into a deployable jar file.
✔ Use mvn clean package command to package your application
Upload the policy to Exchange
✔ In order to deploy to exchange, update your settings.xml with your exchange credentials or use
connected apps.
✔ Use mvn clean deploy command to deploy to Exchange.
Apply the policy to API via API Manager
✔ In the Anypoint API Manager, you can see the custom Policy is available in the Custom Policy section.
✔ Apply the Custom policy to the API you want.

USE CASE: Creating a Custom Policy
21
✔ A specific use case that an API receives customer creating request in which it has all the
customer information. As part of the customer creation in the backend, custId should be
generated in the response.
✔ Custom Logging Requirement
➢ Custom Message to be logged when the request is received.
➢ Should have option to dynamic plug and play logging in the request and the response.
➢ If the request logging is enabled,
■ Request attributes to be logged
■ Option of enabling/disabling of request attributes should be available.
➢ If the response logging is enabled
■ Response Payload to be logged
■ Option of enabling/disabling of response payload should be available.
POST /customers

Take a stand !
● Nominate yourself for the next meetup speaker and suggest a topic as well.
24

● Share:
○ Tweet using the hashtag #MuleSoftMeetups
○ Join Mysore Group: https://meetups.mulesoft.com/mysore/
● Feedback:
○ Fill out the survey feedback and suggest topics for upcoming events
○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program
○ Reach out to Mysore Meetup Leaders (Shubham/Giridhar) to suggest topics
for next Meetup
What’s next?
25

Handling NFRs for the API through API policies (Custom Policies) -Part 2 | MuleSoft Mysore Meetup #26

Recommended

Recommended

More Related Content

Similar to Handling NFRs for the API through API policies (Custom Policies) -Part 2 | MuleSoft Mysore Meetup #26

Similar to Handling NFRs for the API through API policies (Custom Policies) -Part 2 | MuleSoft Mysore Meetup #26 (20)

More from MysoreMuleSoftMeetup

More from MysoreMuleSoftMeetup (20)

Recently uploaded

Recently uploaded (20)

Handling NFRs for the API through API policies (Custom Policies) -Part 2 | MuleSoft Mysore Meetup #26