Nav

Custom Policy Reference

This policy definition YAML and policy configuration XML files make up a custom policy.

Policy Definition YAML File

The policy definition file defines the high level properties of the policy, the configurable parameters, labels, and tips that are visible as a UI when implementing the policy.

The following example shows the IP White List policy definition YAML file:


         
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
id: ip-whitelist
name: IP whitelist
description: Limits all service calls to a defined set of IP addresses.
category: Security
standalone: true
requiresConnectivity: false
resourceLevelSupported: true
providedCharacteristics:
  - IP filtered
requiredCharacteristics: []
configuration:
  - propertyName: ipExpression
    name: IP expression
    description: |
      Mule Expression for extracting the IP address from this API request.
      for example, #[message.inboundProperties['http.headers']['X-Forwarded-For']]
    type: expression
    defaultValue:
    optional: true
    sensitive: false
    allowMultiple: false
  - propertyName: ips
    name: Whitelist
    description: Limited list of IP addresses allowed API access
    type: ipaddress
    optional: false
    sensitive: false
    allowMultiple: true

New properties you define have values based on what you want users to configure when they apply a policy. The IP White List policy example requires values for the ipExpression and ips properties. The Policy Configuration XML file references these properties. Users are prompted to assign values to them.

The following policy definition values are related to the new policy:

Parameter Description

name

string - Policy name

description

string - A description that displays in the policy details when applying it

category

string - Category of the policy

standalone

boolean - True if the policy can work on its own or false if the policy can be applied only as part of another policy.

providedCharacteristics

array - A list of optional characteristics that are fulfilled by applying this policy.

resourceLevelSupported

boolean - True means the user can apply the policy to specific API resources; False means the policy applies to all API resources. (Mule 3.8.1 and later)

requiredCharacteristics

array - A list of required characteristics that are fulfilled before this policy can be applied. Required characteristics can be fulfilled by applying other policies that provide these. This allows dependencies between policies. Any string input is valid as a characteristic name as long as at least one other policy provides this characteristic, these are case sensitive.

configuration

array - A set of configurable properties associated with your policy, details on the parameters for each property below.

ramlSnippet

string - A security scheme described in the RAML 0.08 specification.

ramlV1Snippet

string - A security scheme described in the RAML 1.0 specification.

providedCharacterics Parameter

Typically, you set providedCharacteristics to avoid clashes between policies that cannot be applied at the same time. For example, only one OAuth 2.0 policy can be applied at a time. Use the OAuth 2.0 protected to specify only one OAuth 2.0 policy.

The list of existing characteristics is:

  • Client ID required

  • CORS enabled

  • Baseline Rate Limiting

  • SLA Rate Limiting

  • Requires authentication

  • IP filtered

  • JSON threat protected

  • Security manager

  • OAuth 2.0 protected

  • OAuth 2.0 provider

  • XML threat protected

This list is unlimited: any string input is valid as a characteristic name. The list items are case sensitive.

configuration Parameter

The configuration parameter lists a set of properties. Each can contain the following parameters:

Parameter Description

propertyName

string - Property name for internal reference

name

string - Property name to display in configuration window

description

string - Property description to display in configuration window

type

string - Data type: string, boolean, int, ipaddress, expression (in MEL), keyvalues, rateLimits

optional

boolean - True if assigning a value for it is optional.

sensitive

boolean - True if the information contained by this field is sensitive (typically used for passwords and tokens). When policy information is requested from the server, these sensitive fields are filtered out.

allowMultiple

boolean - True if multiple values can be assigned. Only valid if type is ipaddress.

minimumValue

int - Only for values of type int

maximumValue

int - Only for values of type int

defaultValue

Only for properties of type int, boolean, string and expression

propertyName Syntax

The following snippets show how to define propertyName parameters of the following types:

  • Integer

  • Boolean

  • String

  • Map

Integer


           
        
1
2
3
4
5
6
7
8
9
10
configuration:
 - propertyName: aint
   name: Test Int single between 5 and 10
   description: Some Description
   type: int
   minimumValue: 5
   maximumValue: 10
   optional: true
   sensitive: false
   allowMultiple: false

Boolean


           
        
1
2
3
4
5
6
7
8
9
configuration:
 - propertyName: aboolean
   name: Test Boolean single
   description: Some Description
   type: boolean
   optional: true
   sensitive: false
   allowMultiple: false
   defaultValue: false

String


           
        
1
2
3
4
5
6
7
8
configuration:
 - propertyName: astring
   name: Test String single
   description: Some Description
   type: string
   optional: true
   sensitive: false
   allowMultiple: false

Map


           
        
1
2
3
4
5
6
7
8
configuration:
 - propertyName: amap
   name: Test Key/Value Map
   description: Some Description
   type: keyvalue
   optional: true
   sensitive: false
   allowMultiple: true

ramlSnippet and ramlV1Snippet Parameters

In the YAML of the custom policy, you can include the ramlSnippet and ramlV1Snippet parameters. When you add the custom policy to Anypoint Platform, links for the RAML .80 or RAML 1 snippets show up in the Applied Policies list.

The following snippet shows ramlSnippet and ramlV1Snippet parameters in a snippet of the YAML file of the out-of-the-box Throttling-SLA based policy:

id: test
name: test
description: Rosario Central
...
configuration:
  - propertyName: omar
    name: arnaldo
...
  - propertyName: rosario
    name: central
...
ramlSnippet: |
  traits:
  - client-id-required:
      queryParameters:
        client_id:
          type: string
        client_secret:
          type: string
  ...
  /products:
  get:
    is: [client-id-required]
    description: Gets a list of all the inventory products.
ramlV1Snippet: |
  traits:
  client-id-required:
    queryParameters:
      client_id:
        type: string
      client_secret:
        type: string
  ...
  /products:
  get:
    is: [client-id-required]
    description: Gets a list of all the inventory products.

Policy Configuration XML File

The policy configuration is an XML file that implements the actual execution of the policy. The configuration achieves this by leveraging the elements in a flow when creating a Mule Runtime application. All of the elements usable in Mule Runtime can be used in a custom policy.

The policy configuration defines the actual processes that carry out the implementation of the policy. Structured like a Mule app, you wrap content in the following tags:


         
      
1
2
<policy>
</policy>

The opening <policy> tag includes references to all of the Mule XSD files used in the policy. Some of the Mule elements you can add require adding the corresponding XSD reference too.

In the API Gateway runtime 2.0 and later and Mule 3.8 unified runtime, add properties id and policyName to the <policy> element parameters to gather data about the API for analytics.

By default, when you create a custom policy, you have access to the following default configuration properties that you can reference in the configuration XML file:

Property Description

policyId

A unique ID for the current policy

endpointUri

The full URI for the inbound endpoint of the API

apiId

Unique ID number for the API

apiVersionId

Unique ID number for the API version

apiName

Name of the API

isRamlEndpoint

Boolean that determines if the endpoint is linked to a RAML definition file

isWsdlEndpoint

Boolean that determines if the endpoint is linked to a WSDL definition file

isHttpEndpoint

Boolean that determines if the endpoint follows the HTTP protocol

In addition to these default properties, you can specify new ones in the policy definition YAML file and reference them in the policy configuration XML file.

Policy Tag Properties

The policy tag properties are important parts of a custom policy XML configuration:

  • order property in the <policy> tag

  • order property in the <before></before>and <after></after>

These properties the order of execution of policies.

The requiresContracts property is critical for client validation.

For more information about and examples of using these properties, see the "Configuration XML Properties Reference". A link to this reference is in the "See Also" section of this topic.

Custom Policy Exception Blocks

You can define before and after exception blocks in custom policy definitions to enhance the catch exception strategy of a flow without the need to modify it. For more information, see the link to the "Custom Policy Exception Blocks Reference" in the "See Also" section of this topic.

Before and After Tags

Enclosed within the main element of the configuration file are two fundamental structures you can add: <before></before> and <after></after> tags. Both are optional, but your policy must have at least one of them if you want it to perform any action at all.

As shown in the following flow, content between the before tags executes every time there’s an incoming request to your API, as soon as the request reaches the inbound endpoint, and before your API executes any of the remaining message processors in your flows. Content between the after tags likewise executes every time there’s a request to your API, right before reaching the outbound endpoint in your API, and after having executed every other one of the message processors in your flows.

basic+flow

In addition to the <before></before> and <after></after> tags, you can also add <mule:processor-chain></mule:processor-chain> tags as additional flows where you can perform more procedures. These flows don’t execute on their own, they must be referenced one way or another by either the before or the after sections of your policy. When writing a policy, unlike when writing a Mule application, you must add a mule: suffix to the name of the element.


          
       
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<policy>
    <before>
        <!-- Elements automatically executed at the start -->
    </before>
    <after>
        <!-- Elements automatically executed at the end -->
    </after>
 
    <mule:processor-chain name="chain1">
        <!-- This flow may be called to be executed by the others -->
    </mule:processor-chain>
 
    <mule:processor-chain name="chain2">
        <!-- This flow may be called to be executed by the others -->
    </mule:processor-chain>
</policy>

The "Pointcuts Reference" section of this document covers enabling resource level policies. The following example runs versions earlier than Mule 3.8.4 and does not support resource level policies.


          
       
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<?xml version="1.0" encoding="UTF-8"?>
<policy id="4444"
        policyName="HTTP Basic Authentication"
        xmlns="http://www.mulesoft.org/schema/mule/policy"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:spring="http://www.springframework.org/schema/beans"
        xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security"
        xmlns:ss="http://www.springframework.org/schema/security"
        xmlns:api-platform-gw="http://www.mulesoft.org/schema/mule/api-platform-gw"
        xsi:schemaLocation="http://www.mulesoft.org/schema/mule/policy http://www.mulesoft.org/schema/mule/policy/current/mule-policy.xsd
              http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
              http://www.mulesoft.org/schema/mule/spring-security http://www.mulesoft.org/schema/mule/spring-security/current/mule-spring-security.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-current.xsd
              http://www.mulesoft.org/schema/mule/api-platform-gw http://www.mulesoft.org/schema/mule/api-platform-gw/current/mule-api-platform-gw.xsd">
    <!-- HTTP BASIC AUTH POLICY -->
    <!-- The HTTP basic auth policy adds a validation that requires -->
    <!-- all requests to contain the Authorization HTTP header, -->
    <!-- in case it doesn't send back a challenge. -->
    <!-- The policy consists of two parts. -->
    <!-- The first part is the configuration of a security manager, -->
    <!-- which in this case is using a mocked up one with a single -->
    <!-- hardcoded user. -->
    <spring:beans>
        <ss:authentication-manager alias="example-authentication-manager">
            <ss:authentication-provider>
                <ss:user-service id="userService">
                    <ss:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
                </ss:user-service>
            </ss:authentication-provider>
        </ss:authentication-manager>
    </spring:beans>
    <mule-ss:security-manager name="example-security-manager">
        <mule-ss:delegate-security-provider name="example-security-provider" delegate-ref="example-authentication-manager" />
    </mule-ss:security-manager>
    <!-- The second part is the injection of the filter itself, that uses the previously configured security manager. -->
    <!-- Notice that the injection happens according to the pointcut criteria specified below. -->
    <before>
        <mule-ss:http-security-filter securityManager-ref="example-security-manager" realm="mule-realm" />
    </before>
    <!-- The following provides a custom trait to the RAML of the API if it uses APIkit. Otherwise it is ignored. -->
    <raml-security-scheme id="basic"><![CDATA[
        description: Resource access is protected using basic authentication.
        type: Basic Authentication
        describedBy:
            headers:
                Authorization:
                    description: |
                       Sends username and password encoded in RFC2045-MIME variant of Base64.
                    type: string
                    example: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
            responses:
                403:
                    description: |
                        Invalid username and password
    ]]></raml-security-scheme>
    <!-- Pointcuts specify where this policy takes effect. 
         The pointcut refers to a specific API and Version. -->
    <pointcut>
        <api-platform-gw:api-pointcut apiName="sampleApi" apiVersion="1.0.0"/>
    </pointcut>
</policy>

The DataWeave component is not supported for use within your Custom Policies.