Implementation Advanced Security - Gerald Loeffler · 1. Anypoint Platform comes with API policies...

Advanced SecurityImplementationOn Mule 4 and Anypoint Platform

Gerald LoefflerSenior Curriculum Developer and Technical Instructor, EMEA

All contents © MuleSoft Inc.

Safe harbor statement

The information in this presentation is confidential and proprietary to MuleSoft and may not be disclosed without the permission of MuleSoft. This presentation is not subject to your license agreement or any other service or subscription agreement with MuleSoft. MuleSoft has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and MuleSoft's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by MuleSoft at any time for any reason without notice. The information on this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. MuleSoft assumes no responsibility for errors or omissions in this document, except if such damages were caused by MuleSoft intentionally or grossly negligent.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2


Goals

3

1. Claims-based identity

2. Custom API policies in Mule 4

3. XML SDK components

All contents © MuleSoft Inc. 4

1. Motivation and approach

2. Solution overview

3. Interactions

4. Custom components

5. Summary




3. Interactions


5. Summary


Motivation and approach

6

1. Anypoint Platform comes with API policies for authN and OAuth 2

2. Additional API security requirements:

a. User identity and properties without further authN or remote calls

b. Fine-grained access control to APIs

3. Custom API policies: implement bespoke security requirements

4. XML SDK: componentize Mule app-like functionality




3. Interactions


5. Summary


Security and token realms

8


This talk

9


Claims-based identity

10



11

Packages user properties in signed/encrypted User Claims Token



12

Passed to downstream API



13

Unpacks/decrypts and enforces User Claims Token



14

Establishes trust with upstream API



15

Access control: token validity and user claims




3. Interactions


5. Summary


Detailed components

17


API client sends HTTP request

18

OAuth 2 access token


API policy calls OAuth 2 server

19

validate OAuth 2 access token


In-process propagation of HTTP request

20

user identity


Upstream API implementation

21

invokes downstream API



22

user identity


Custom API policy

23

intercepts outgoing API invocation


Custom component retrieves user claims

24

get user claims by user identity


Custom component

25

packages and encrypts/signs User Claims Token


Internal API invocation

26

User Claims Token as HTTP request header


Custom API policy

27

intercepts incoming API invocation


Custom component

28

unpacks and validates User Claims Token


Custom API policy

29

enforces access control based on user claims



30

user identity and claims


Downstream API implementation

31

executes API business logic




3. Interactions


5. Summary


XML SDK component creating token

33


XML SDK component creating token

34


XML SDK component enforcing token

35


XML SDK component enforcing token

36


API policy intercepting outgoing HTTP request

37


API policy intercepting outgoing HTTP request

38


API policy intercepting incoming HTTP request

39


API policy intercepting incoming HTTP request

40




3. Interactions


5. Summary


Summary

42

1. Implemented API security requirements with custom API policies

2. Encapsulated reusable functionality in custom XML SDK components

a. Code similar to Mule apps

b. Can be reused in Mule apps, custom API policies, …

3. Packaged user properties in token following claims-based identity

a. Encrypted/signed by creator

b. Establishes trust with sender of HTTP request

c. Can be validated without remote calls

d. Allows fine-grained access control to APIs

Thank You !

Implementation Advanced Security - Gerald Loeffler · 1. Anypoint Platform comes with API policies...

Documents

Transcript of Implementation Advanced Security - Gerald Loeffler · 1. Anypoint Platform comes with API policies...