Implementation Advanced Security - Gerald Loeffler · 1. Anypoint Platform comes with API policies...
Transcript of Implementation Advanced Security - Gerald Loeffler · 1. Anypoint Platform comes with API policies...
Advanced SecurityImplementationOn Mule 4 and Anypoint Platform
Gerald LoefflerSenior Curriculum Developer and Technical Instructor, EMEA
All contents © MuleSoft Inc.
Safe harbor statement
The information in this presentation is confidential and proprietary to MuleSoft and may not be disclosed without the permission of MuleSoft. This presentation is not subject to your license agreement or any other service or subscription agreement with MuleSoft. MuleSoft has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and MuleSoft's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by MuleSoft at any time for any reason without notice. The information on this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. MuleSoft assumes no responsibility for errors or omissions in this document, except if such damages were caused by MuleSoft intentionally or grossly negligent.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
2
All contents © MuleSoft Inc.
Goals
3
1. Claims-based identity
2. Custom API policies in Mule 4
3. XML SDK components
All contents © MuleSoft Inc. 4
1. Motivation and approach
2. Solution overview
3. Interactions
4. Custom components
5. Summary
All contents © MuleSoft Inc. 5
1. Motivation and approach
2. Solution overview
3. Interactions
4. Custom components
5. Summary
All contents © MuleSoft Inc.
Motivation and approach
6
1. Anypoint Platform comes with API policies for authN and OAuth 2
2. Additional API security requirements:
a. User identity and properties without further authN or remote calls
b. Fine-grained access control to APIs
3. Custom API policies: implement bespoke security requirements
4. XML SDK: componentize Mule app-like functionality
All contents © MuleSoft Inc. 7
1. Motivation and approach
2. Solution overview
3. Interactions
4. Custom components
5. Summary
All contents © MuleSoft Inc.
Security and token realms
8
All contents © MuleSoft Inc.
This talk
9
All contents © MuleSoft Inc.
Claims-based identity
10
All contents © MuleSoft Inc.
Claims-based identity
11
Packages user properties in signed/encrypted User Claims Token
All contents © MuleSoft Inc.
Claims-based identity
12
Passed to downstream API
All contents © MuleSoft Inc.
Claims-based identity
13
Unpacks/decrypts and enforces User Claims Token
All contents © MuleSoft Inc.
Claims-based identity
14
Establishes trust with upstream API
All contents © MuleSoft Inc.
Claims-based identity
15
Access control: token validity and user claims
All contents © MuleSoft Inc. 16
1. Motivation and approach
2. Solution overview
3. Interactions
4. Custom components
5. Summary
All contents © MuleSoft Inc.
Detailed components
17
All contents © MuleSoft Inc.
API client sends HTTP request
18
OAuth 2 access token
All contents © MuleSoft Inc.
API policy calls OAuth 2 server
19
validate OAuth 2 access token
All contents © MuleSoft Inc.
In-process propagation of HTTP request
20
user identity
All contents © MuleSoft Inc.
Upstream API implementation
21
invokes downstream API
All contents © MuleSoft Inc.
In-process propagation of HTTP request
22
user identity
All contents © MuleSoft Inc.
Custom API policy
23
intercepts outgoing API invocation
All contents © MuleSoft Inc.
Custom component retrieves user claims
24
get user claims by user identity
All contents © MuleSoft Inc.
Custom component
25
packages and encrypts/signs User Claims Token
All contents © MuleSoft Inc.
Internal API invocation
26
User Claims Token as HTTP request header
All contents © MuleSoft Inc.
Custom API policy
27
intercepts incoming API invocation
All contents © MuleSoft Inc.
Custom component
28
unpacks and validates User Claims Token
All contents © MuleSoft Inc.
Custom API policy
29
enforces access control based on user claims
All contents © MuleSoft Inc.
In-process propagation of HTTP request
30
user identity and claims
All contents © MuleSoft Inc.
Downstream API implementation
31
executes API business logic
All contents © MuleSoft Inc. 32
1. Motivation and approach
2. Solution overview
3. Interactions
4. Custom components
5. Summary
All contents © MuleSoft Inc.
XML SDK component creating token
33
All contents © MuleSoft Inc.
XML SDK component creating token
34
All contents © MuleSoft Inc.
XML SDK component enforcing token
35
All contents © MuleSoft Inc.
XML SDK component enforcing token
36
All contents © MuleSoft Inc.
API policy intercepting outgoing HTTP request
37
All contents © MuleSoft Inc.
API policy intercepting outgoing HTTP request
38
All contents © MuleSoft Inc.
API policy intercepting incoming HTTP request
39
All contents © MuleSoft Inc.
API policy intercepting incoming HTTP request
40
All contents © MuleSoft Inc. 41
1. Motivation and approach
2. Solution overview
3. Interactions
4. Custom components
5. Summary
All contents © MuleSoft Inc.
Summary
42
1. Implemented API security requirements with custom API policies
2. Encapsulated reusable functionality in custom XML SDK components
a. Code similar to Mule apps
b. Can be reused in Mule apps, custom API policies, …
3. Packaged user properties in token following claims-based identity
a. Encrypted/signed by creator
b. Establishes trust with sender of HTTP request
c. Can be validated without remote calls
d. Allows fine-grained access control to APIs
Thank You !