This document discusses security components and modules in MuleSoft's Anypoint platform. It describes Enterprise Security, the API Security Manager, and Virtual Private Cloud. It also explains how MuleSoft's Enterprise Security modules provide OAuth 2.0 authentication, authorization, SAML, WS-Security, and integration with PingFederate. The document outlines how security should be applied at the experience, process, and system connectivity layers of an API approach. It recommends using HTTPS and OAuth 2.0 to secure APIs and describes how MuleSoft implements basic authentication and OAuth 2.0 validation.

1. MULE –security
-RajeshKumar
1

2. MULESOFT –Anypoint platform security
components
 Anypoint Enterprise Security
 API Security Manager
 Virtual Private Cloud (VPC)
2

3. MULESOFT –Enterprise Security
Modules
Mule Secure Token Service (STS) OAuth 2.0a Provider (Its part of Enterprise edition)
Security for REST service provider/consumer (for API which we developing using MULE
API led connectivity)
3
Ensure that the API is properly
protected
by right authentication / authorization
schemes
Autherization &
Authentication
• SAML
• OAuth 2
• WS-Security
• Ping federate

4. MULESOFT –Enterprise Security
Modules
Each layer has specific security requirements in API approach
Experience: This layer needs to be protected by inbound security
Process: In this layer, fine grain security is applied as to who has access to which
process API
System Connectivity: This layer need to be protected by outbound security
4

5. MULESOFT –Enterprise Security
Modules
5
Process APIs
Process Level Fine Grained Security
Experience APIs
Inbound Security
(Authentication, Authorization and Data Security)
API Manager Security policies
System APIs
Outbound Security
(Authentication, Authorization and Data Security)
WEB/Mobile/Des
ktop
On premise /Cloud applications

6. Securing API in Anypoint
platform
Combination of HTTPS and OAuth 2.0 are best practice for Web API security
Basic Authentication (HTTPS)
Http-security-filter knows how to decipher the incoming Base64 encoded
username and password before passing them to the security manager.. Failure
to authenticate will result in a 403 sent back to the client.
6

7. Securing API in Anypoint
platformOAuth 2.0
The oauth-provider config exposes a url over which it receives requests for a token
in exchange for credentials (client id, secret, username and password). It also
passes the username and password to the security-manager before
proceeding to issue a token.
Every invocation of the API should be protected with an oauth-provider validate
message processor. This will check for an incoming token and verify that it is
valid, still within its expiration window and allows the client to actually invoke
this flow. Tokens are issued based on requested scopes. The validation takes
scope into account when making its decision. If validation fails, a 403 is
returned to the client. If it succeeds, the flow continues to execute normally.
7