Mule Runtime 4.x Policy Reference

Rate limited APIs running under Mule 4 can use the following flags that APIs running under earlier releases cannot: Clusterizable and Expose headers

Clusterizable Flag

In 2.x API Gateway Runtime or Mule Runtime 3.x configured as a cluster, the policy automatically runs in distributed mode. In Mule Runtime 4.x. you can choose distributed or standalone mode, despite the runtimes being configured as a cluster. If the mode is standalone, the clusterizable flag does not change any behavior.

Expose Headers Flag

This flag blacks out x-rate-limit headers from the response.

Token Validation Response Example

The following example shows HTTP message headers returned as a token validation response.

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Date: Mon, 09 Mar 2015 19:08:07 GMT
Accept-Ranges: bytes
Server: Restlet-Framework/2.1.1
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
{"uid":"john.doe","mail":"","scope":["uid","mail","cn","givenName"],"grant_type":"password","cn":"John Doe Full","realm":"/","token_type":"Bearer","expires_in":580,"givenName":"John","access_token":"fa017a0e-1bd5-214c-b19d-03efe9f9847e"}

This token validation response may vary and, if Expose Headers is enabled, the proxy sends all headers received to the backend implementation with the following exceptions:

  • scope

  • expires_in nodes

Other Mule Runtime 4.x Features

Other features that affect policies are:

  • Policy ordering

    In API Gateway Runtime 2.x and Mule Runtime 3.x, with the exception of CORS which runs always first, Rate Limiting and Throttling policies run first in the chain. In Mule runtime 4.x, which policies run first is completely configurable with the exception of CORS.

  • DataWeave

    MEL expressions are replaced by DataWeave.

  • Optional Client Secret

    You can choose to check only the Client Id in your SLA policy. This is especially useful when combining this policy with a federated one.

  • Compatibility with federation policies

    Federation policies (OpenAM, PingFederate, and OpenID Connect OAuth Token Access) are fully compatible with SLA policies. You can order all policies except CORS and client secret is not required. The OAuth policies can exchange the token for the client ID and feed the client ID to the SLA policy.