Nav

Available Policies

Anypoint Platform includes the following out-of-the-box policies in addition to the Simple Security Manager, required for the Basic Auth (Basic 1 name-1 pass) policy:

Client ID Enforcement

All calls to the API must include a valid client ID and client secret.

Cross-Origin Resource Sharing

CORS is a standard mechanism that allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from non-origin domains. CORS is a commonly implemented solution to the "same-origin policy" that is enforced by all browsers. This policy enables all origins, and makes all resources of an API public. To configure a CORS policy, see Applying and Editing a CORS Policy.

HTTP Basic Authentication

Enforces authentication per the details configured in a Security Manager policy.

IP Blacklist

API calls from a defined set of IP addresses are denied.

IP Whitelist

All API calls are limited to to a defined set of IP addresses.

JSON Threat Protection

Protects the target API against malicious JSON that could cause problems.

LDAP Security Manager

Injects an LDAP-based security manager into the target API.

OAuth 2.0 Access Token Enforcement Using External Provider Policy

Configures the API so that its endpoints require a mandatory and valid OAuth 2.0 token. You must reference an external Mule application that serves as the OAuth provider.

OpenAM Access Token Enforcement

Configures the API so that its endpoints require a mandatory and valid OpenAM token. This policy is only available to organizations using an OpenAM Federated Identity Management system.

PingFederate Access Token Enforcement

Configures the API so that its endpoints require a mandatory and valid PingFederate token. This policy is only available to organizations using a PingFederate Federated Identity Management system.

Rate Limiting – SLA-Based

The number of messages per time period processed by an API is rate limited at a maximum value specified in the SLA tier. Any messages beyond the maximum are rejected. Enforcement is based on the client ID passed in the request.

Rate Limiting

The number of messages processed by an API per time period is rate limited at a maximum value specified in the policy. The rate limiting is applied to all API calls, regardless of the source. Any messages beyond the maximum are rejected.

Simple Security Manager

A placeholder security manager that can be configured with a hard-coded username and password for testing purposes.

Throttling -SLA-Based

The number of messages per time period processed by an API is throttled at a maximum value specified in the SLA tier. Any messages beyond the maximum are queued for later processing. Enforcement is based on the client ID passed in the request.

Throttling

The number of messages processed by an API per time period is throttled at a maximum value specified in the policy. The throttling is applied to all API calls, regardless of the source. Any messages beyond the maximum are queued for later processing.

XML Threat Protection

Protects the target API against malicious XML that could cause problems.

Policy Categories

The following table lists the policy, the required characteristic the policy fulfills, and requirements of the policy.

Policy Category Fulfills Required

Client ID Enforcement

Compliance

Client ID Required

None

CORS

Compliance

CORS-enabled

None

HTTP Basic Authentication

Security

Authentication

Security Manager

IP Blacklist

Security

IP Filtered

None

IP Whitelist

Security

IP Filtered

None

JSON Threat Protection

Security

JSON Threat Protected

None

LDAP Security Manager

Security

Security Manager

None

OAuth 2.0 Access Token Enforcement Using External Provider Policy

Security

OAuth 2.0 protected

None

OpenAM Access Token Enforcement

Security

OAuth 2.0 Protected

None

PingFederate Access Token Enforcement

Security

OAuth 2.0 Protected

None

Rate Limiting

Quality of Service

Rate Limited

None

Rate Limiting, SLA-Based

Quality of Service

Rate Limited, Client ID required

None

Simple Security Manager

Security

Security Manager

None

Throttling -SLA-Based

Quality of Service

Throttled, Rate Limited, Client ID required

None

Throttling

Quality of Service

Throttled, Rate Limited

None

XML Threat Protection

Security

XML Threat Protected

None

In this topic: