Nav

About Provided Policies (Nov 2017 and Jul 2017)

In the process of applying a policy to an API, a list of policies you can apply appears.

Jul 2017

select policy

Nov 2017: Two HTTP Basic Authentication policies, one that incorporates simple security manager configuration, and the other on the LDAP configuration, are available.

Nov 2017 and Jul 2017: If a policy is already applied, or if the protection it provides is already fulfilled by a policy you applied, the policy appears unavailable. You can filter the list by policy categories:

  • Compliance

  • Security

  • Quality of Service

After selecting a category, you can further filter the list by the kind of protection it fulfills. Any requirements for achieving the level of protection specified by the filter is also listed.

policy filters

Anypoint Platform provides the following policies:

Add/Remove Headers (Nov 2017) and (Jul 2017)

Injects or removes HTTP headers from a request or response.

Basic Authentication: LDAP (Nov 2017)

Establishes the configuration details for an Open LDAP or Active Directory LDAP that you set up for your enterprise.

Basic Authentication: Simple (Nov 2017)

Protects the API by requiring username and password when calling apps make a request.

Client ID Enforcement

Enforces the requirement for calls to the API must include a valid client ID and client secret. See footnote.

Cross-Origin Resource Sharing

Allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from non-origin domains. CORS is a commonly implemented solution to the "same-origin policy" that is enforced by all browsers. This policy enables all origins, and makes all resources of an API public.

HTTP Basic Authentication (Jul 2017)

Enforces authentication per the details configured in a Security Manager policy.

IP Blacklist

Denies API calls from a defined set of IP addresses.

IP Whitelist

Limits API calls to a defined set of IP addresses.

JSON Threat Protection

Protects the target API against malicious JSON that could cause problems.

LDAP Security Manager (Jul 2017)

Injects an LDAP-based security manager into the target API.

OAuth 2.0 Access Token Enforcement Using External Provider Policy

Configures the API so that its endpoints require a mandatory and valid OAuth 2.0 token. You must reference an external Mule application that serves as the OAuth provider. Update the RAML of your API using the provided snippet before using this policy.

OpenAM Access Token Enforcement

Configures the API so that its endpoints require a mandatory and valid OpenAM token. This policy is only available to organizations using an OpenAM Federated Identity Management system.

OpenID Connect Access Token Enforcement

Configures the API so that its endpoints require a mandatory and valid token. This policy is only available to organizations using an OpenID Connect Management system.

PingFederate Access Token Enforcement

Configures the API so that its endpoints require a mandatory and valid PingFederate token. This policy is only available to organizations using a PingFederate Federated Identity Management system.

Rate Limiting – SLA-Based

Limits the number of messages per time period processed by an API at a maximum value specified in the SLA tier. Any messages beyond the maximum are rejected. Enforcement is based on the client ID passed in the request. See footnote.

Rate Limiting

Limits the number of messages processed by an API per time period at a maximum value specified in the policy. The rate limiting is applied to all API calls, regardless of the source. Any messages beyond the maximum are rejected.

Simple Security Manager

Supports a placeholder security manager that can be configured with a hard-coded username and password for testing purposes.

Throttling -SLA-Based

Throttles he number of messages per time period processed by an API at a maximum value specified in the SLA tier. Any messages beyond the maximum are queued for later processing. Enforcement is based on the client ID passed in the request. See footnote.

Throttling

Throttles the number of messages processed by an API per time period at a maximum value specified in the policy. The throttling is applied to all API calls, regardless of the source. Any messages beyond the maximum are queued for later processing.

XML Threat Protection

Protects the target API against malicious XML that could cause problems.

Note: Update the RAML of your API using the provided snippet before using this policy.

In this topic: