How to setup user authentication (verification of username and password) fro Mule ESB http inbound-endpoint?
This http inbound-endpoint will be used for REST service.
Thank you.
<spring:beans>
<security:authentication-manager alias="MyManager">
<security:authentication-provider>
<security:user-service id="UserService">
<security:user name="someusername" password="somepassword" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</spring:beans>
<spring-security:security-manager>
<spring-security:delegate-security-provider delegate-ref="MyManager" name="InMemory"/>
</spring-security:security-manager>
<flow name="main">
<http:inbound-endpoint address="http://localhost:8000/secured">
<spring-security:http-security-filter realm="mule-realm" securityProviders="InMemory"/>
</http:inbound-endpoint>
...
Mule can be configured with Spring security to provide basic authentication with username and password. The spring security can also be configured to provide role based support where multiple users involve .
Some example you can refer here to get more ideas on it :- http://confluex.com/blog/http-inbound-endpoint-basic-authentication/
and
http://www.javaroots.com/2013/06/how-to-secure-rest-services-in-mule-3.html
also
https://developer.mulesoft.com/docs/display/current/Configuring+the+Spring+Security+Manager
Related
I have a requirement where soap based service needs to be consumed and in order to achieve that I had used WSConsumer component in Mule.
Where we give the service URL in the properties file and refer to it.
<ws:consumer-config name="Web_Service_Consumer" wsdlLocation="serviceApi.wsdl"
service="serviceAPI" port="serviceApiSoap12Port" serviceAddress="${serviceurl}"
doc:name="Web Service Consumer"/>
Now after the development we came to know that QA web service is a HTTPS web service and while hitting the service following exception is received
SSLHandshakeException: General SSLEngine problem
I'm able to hit the service with Http:request connector as following
<http:request-config name="HTTP_Request_Configuration" host="${host}" port="${port}"
doc:name="HTTP Request Configuration" protocol="HTTPS">
<tls:context>
<tls:trust-store insecure="true" />
</tls:context>
</http:request-config>
But the issue with above config is it won't work for HTTP configuration.
I should be able to connect to both HTTP & HTTPS as I have different environments.
Is there a way where I can achieve this with ws:consumer??
I assume the HTTP connector configuration shown is the one queried by your WS Consumer connector. A simple solution would be to configure the protocol of your HTTP config via property file but Mule doesn't play well with it because you may end-up with a TLS Context configured with HTTP and your connector won't work. There is a little trick you can do however: create 2 HTTP configurations - one for HTTP and one for HTTPS:
<http:listener-config name="HTTPS_Config"
protocol="HTTPS"
host="${host}"
port="${port}"
doc:name="HTTPS Config" >
<tls:context>
<tls:key-store type="${keystore.type}"
path="${keystore.path}"
keyPassword="${keystore.keyPassword}"
password="${keystore.password}"/>
</tls:context>
</http:listener-config>
<http:listener-config name="HTTP_Config"
host="${host}"
port="${port}"
doc:name="HTTP Config" >
</http:listener-config>
In a property file, define which configuration (i.e. which protocol) should be used:
host=localhost
port=443
protocol=HTTPS # or HTTP
And finally in your flow, use your property to reference the proper HTTP(S) config:
<flow name="http-testFlow">
<http:listener config-ref="${protocol}_Config" path="/test" doc:name="HTTP"/>
...
</flow>
The trick is to name your configuration ${protocol}_Config such as HTTP_Config and HTTPS_Config so the proper one is used at runtime via config-ref="${protocol}_Config". Mule will then dynamically use the proper configuration when your app is launched. This is entirely transparent for the user as only the protocol (HTTP vs. HTTPS) needs to be configured, and it can be used in any environment.
You can use this differently, the idea is to have Mule pick your HTTP or HTTPS dynamically at runtime.
EDIT: to configure your WS Consumer with HTTPS you'll need to reference a proper HTTP Requester Configuration such as:
<ws:consumer-config name="Web_Service_Consumer"
...
connectorConfig="HTTP_Request_Configuration"/>
<http:request-config name="HTTP_Request_Configuration"
...
<tls:context>
...
</tls:context>
...
/>
See Web Service Consumer documentation for details.
Note: though this solution works I would recommend using HTTPS all the time, for security reasons and to have less differences between your dev/QA/Prod/... environments - among other things.
I faced similar issues, we finally chose to have only an HTTPS config and define via property which keystore to use at runtime. In dev we would use a self-signed certificate and a proper keystore in environments requiring proper security.
Hope this helps.
How do I setup an SFTP (ssh) listener on Mule ESB (CE)?
I could only find the HTTP(S) listener)
Thank you for any hints
There is no separate connector same connector can be used for username-password and publickey. Please refer preferredAuthenticationMethods attribute for more details. Configuration will be like
<sftp:connector name="SFTP" identityFile="ppkOrpemfile_path" preferredAuthenticationMethods="publickey" validateConnections="true" doc:name="SFTP"/>
<flow name="testSFTP_flow">
<sftp:inbound-endpoint connector-ref="SFTP" host="host" port="22" responseTimeout="10000" doc:name="SFTP"/>
</flow>
Hope this helps.
Try to find out wrapper.conf file from your server's conf folder.
Modify the port no
wrapper.java.additional.=-Dmule.mmc.bind.port=7779
MuleESB/ Mule Runtime is not SFTP server. All you can do is using mule SFTP connector pull and push the files (SFTP Client). If you are looking for SFTP server need to host. If your partner company have option to send data over HTTP(S) you could use mule HTTP Listener.
I have a Mule application which needs to talk an external server over HTTPS using 2 way SSL authentication.
My question is: How to enable Server Certificate verification in Mule ? It seems, by default Mule doesn't verify Server's Cert. I am using Mule v 3.3.0.
For example: '-k' option in curl disables server's cert verification.
In similar way, is there any configuration parameter by which I can enable/disable Server's cert verification ?
Thanks
Jai
For Mule versions before 3.6, the HTTP transport supports configuration of the trust store used by the HTTP outbound endpoint to determine whether the certificate presented by an HTTPS server should be trusted.
To provide a key store that contains the certificates of servers you need to trust, provide the <https:tls-server /> to the <https:connector />, and reference that connector in your <https:outbound-endpoint />:
<https:connector name="myHttpsConnector">
<https:tls-server path="truststore.jks" storePassword="supersecure" />
</https:connector>
<flow name="someFlow">
<https:outbound-endpoint host="remote-host" port="443" path="/api" connector-ref="myHttpsConnector" />
</flow>
The blog post linked in clare's answer explains this a bit, from both the server side and the client side. You can also refer to the HTTPS Transport Reference, although it doesn't explain the use of tls-server vs. tls-client.
You can check out this blogpost. It will show you how you can configure mutual authentication in Mule. HTH.
You can configure the HTTP Request connector in Mule >= 3.6.0 to use a trust store you create that contains the certificate(s) of the server(s) you need to trust using TLS Configuration.
It might look something like this:
<tls:context name="tlsContextForServiceFoo">
<tls:trust-store path="serviceFooServerCertificates.jks" password="supersecure"/>
<tls:key-store path="myClientCertificates.jks" keyPassword="extrasecure" password="ultrasecure"/>
</tls:context>
<http:request-config name="twoWayAuthServiceFooConfig"
protocol="HTTPS"
host="services.pentagon.gov"
port="443"
tlsContext-ref="tlsContextForServiceFoo" />
<flow name="useServiceFoo">
<http:request config-ref="twoWayAuthServiceFooConfig" path="/api/doStuff" method="POST" />
</flow>
i am using HTTP component of mule to connect to a REST API which is having a basic Authentication with USERNAME and PASSWORD . I used "HTTP settings" tab of HTTP component to supply the authentication details , username and Password. but i think its not working .
Am i doing anything wrong ? is there any better way to call REST service which is having Basic authentication like.
You should set the Basic Authentication value as a Header Property in to the outgoing Mule Message when you are consuming a REST service via the Mule HTTP outbound endpoint.
<flow name="consume_rest">
.............
..........
<set-property propertyName="Authorization" value="Basic Authorization String combination of Username and password" />
<http:outbound-endpoint exchange-pattern="request-response" method="POST" responseTimeout="20000"
host="localhost" path="rest.path" port="Port number" />
.............
.............
</flow>
Hope this helps.
The following is an example of REST Service with Basic Authentication :-
<mule-ss:security-manager>
<mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="your username" password="your password" authorities="ROLE_ADMIN" />
<ss:user name="your username2" password="your password2" authorities="ROLE_USER" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
<flow name="MainService" doc:name="MainService">
<http:inbound-endpoint exchange-pattern="request-response" host="localhost" port="8082" doc:name="HTTP">
<mule-ss:http-security-filter realm="realm" />
<mule-ss:authorization-filter requiredAuthorities="ROLE_ADMIN"/> <!-- Restrict a particular group of users -->
</http:inbound-endpoint>
<jersey:resources doc:name="REST">
<component class="com.test.services.schema.maindata.v1.Impl.MainDataImpl"/>
</jersey:resources>
</flow>
And for connecting an existing external REST Service from Mule use:- http://username:password#host/yourpath in http outbound endpoint
HTTP outbound with basic authentication
Thanks everyone for replying !!
The username and password on the connector is for when you want to secure your inbound endpoint with HTTP basic authentication.
When calling a external services that is secured with basic auth you should use the uri method
I'm working on a project where one of the requirements is to connect to a server using ssl/tls and subscribe to messages. I have setup a tls outbound-endpoint and can connect to the server. I have a spring bean that performs custom handshaking and part of that is subscribing to content from the server. Once subscribed I should receive messages asynchronously without having to poll for them. Is there a way to do this in Mule 3.3? Thanks for the help.
It seems you have a specific use case in which you can't use HTTPS. Mule does provide support for TCP connection, but I couldn't find the option to make the the secure TCP connection (which I beleive will be over SSL).
You can always write your custom endpoint connector code in a java component and call that java component using Quartz (for polling)
<flow name="polling-flow" doc:name="polling-flow">
<quartz:inbound-endpoint jobName="polling"
repeatInterval="5000" responseTimeout="10000" doc:name="Quartz">
<quartz:event-generator-job>
<quartz:payload>call-custom-component-to-poll-secure-tcp</quartz:payload>
</quartz:event-generator-job>
</quartz:inbound-endpoint>
<component doc:name="Java" class="com.company.CustomSecureTCPCode"></component>
<!-- do whatever you want to with the payload received from calling the endpoint -->
</flow>
I used a quartz inbound endpoint and setup an endpoint polling job and polled my endpoint. See the config below:
<flow name="QuartzPollingFlow">
<quartz:inbound-endpoint repeatCount="-1" repeatInterval="1000" jobName="myPoller">
<quartz:endpoint-polling-job>
<quartz:job-endpoint timeout="300" ref="SecureTcpEndpoint"/>
</quartz:endpoint-polling-job>
</quartz:inbound-endpoint>
<flow-ref name="ProcessingFlow"/>
</flow>