Security in Mule
Out of the box, Mule provides several tools to ensure the security of applications:
Mule Security Manager, client authentication and authorization on inbound requests as well as credential mapping for outbound calls
LDAP and third party identity management system integration
Validation of inbound requests through the SAML 2.0 federated identity standard
Secure FTP (SFTP) Transport that enables Mule flows to read and write to remote directories over the SSH protocol.
Beyond the out-of-the-box features, Anypoint Enterprise Security, a separate, downloadable module, is a collection of security features that enforces secure access to information in Mule applications. Available as a module to download on your existing instance of Mule Enterprise, this suite of security features provides various methods for applying security to Service-Oriented Architecture (SOA) implementations and Web services. The following security features bridge gaps between trust boundaries in applications:
Mule Secure Token Service (STS) Oauth 2.0 Provider
Mule Credentials Vault
Mule Message Encryption Processor
Mule Digital Signature Processor
Mule Filter Processor
Mule CRC32 Processor
Anypoint Enterprise Security offers developers six tools to ensure that authorized end users have secure access to protected data. Each tool plays a different role in securing a Mule application.
Mule can apply Oauth 2.0 security to a REST Web service provider or consumer. OAuth uses tokens to ensure that a resource owner never has to share credentials, such as a username or password, with a 3rd-party Web service.
For example, Facebook uses OAuth to connect to Gmail to collect a user’s Gmail contacts. When a user initiates the request to connect, Facebook opens a new browser window for the user to enter a Gmail address and password. If authenticated, Gmail provides all the user’s contacts to Facebook, but does not share the user’s Gmail login credentials. OAuth ensures that the 3rd-party Facebook application never has access to the user’s protected Gmail credentials.
Mule can encrypt properties in a properties file. The properties file in Mule stores data as key-value pairs. Mule flows may access this data — usernames, first and last names, credit card information — as the flow processes messages. In the context of Anypoint Enterprise Security, Mule refers to the encrypted properties file as the Mule Credentials Vault. Much more detailed information about using encrypted properties files is available in the Mule Credentials Vault documentation.
Mule can encrypt an entire payload or several fields of data within a message. Where sensitive information must move between users, yet remain hidden from them, a developer can encrypt message content to prevent unauthorized access. Typically, you may need to encrypt data such as a password, credit card number or social security number (SSN).
Mule uses digital signatures to ensure that messages maintain integrity and authenticity. Mule can verify that an incoming Web service request originates from a valid source, and can sign an outgoing Web service response to ensure its contents. Digital signatures ensure that a sender is valid, that a message is not modified in transit between Web services, and that no unauthorized user has tampered with a message.
Mule can filter messages it receives to avoid processing invalid ones. With a filter processor in place, Mule discards any message it receives that does not match the filter’s parameters — a message from outside a set range of IP addresses, for example.
Mule can apply a cyclic redundancy check (CRC) to messages to ensure message integrity. CRC uses an algorithm to apply a check value to a message when it enters a system, and verifies the value when the message leaves the system. If the entry and exit values do not match, CRC marks the message as changed. Generally, CRC32 (32 indicates the 33-bit polynomial length in the algorithm) detects unintentional changes to messages, such as the accumulation of “noise” between transmission points, but it can also detect unauthorized intentional changes – for instance, flagging a message that has been tampered with during transmission to change it into a Trojan horse.