Secured HTTP Proxy over different ESB Products

Question

Im currently evaluating different ESB Products (in fact im focuding on mule right now). The Use Case is to proxy a simple HTTP Service, an OpenGIS Web Mapping Service WMS.

Here is an example of an freely published WMS Service:

• it responds with XML Metadata about the Service for a "GetCapablities" Request (http://www.wms.nrw.de/wms/uebersicht_nrw2?REQUEST=GetCapabilities&VERSION=1.1.1&SERVICE=WMS)
• it responds with Image data containing a map for a "GetMap" Request (http://www.wms.nrw.de/wms/uebersicht_nrw2?REQUEST=GetMap&VERSION=1.1.1&SERVICE=WMS&LAYERS=Uebersicht&SRS=EPSG:31466&FORMAT=image/png&BBOX=2538900,5656400,2619500,5777000&WIDTH=200&HEIGHT=200&STYLES=&)

Both returns its data as a byte array, which could possibly be the problem i am dealing with.

After I can proxy it through Mule ESB, I want to add security features as follows:

• HTTP Basic and Digest Authentication
• Authentication via TLS Client certificates
• Implementing a XACML Policy Enforcement Point
• provide some usage statistics over auditing services and implement some QoS and Throttling on it.

But basically the proxy itself isn't working as i want it to. Here is what I got so far. First I tried to proxy it with a flow to add a security provider on the inbound-adress. but the request doesn't seem to get through to the outbound-adress, and the response is empty.

<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation" xmlns:spring="http://www.springframework.org/schema/beans" xmlns:mulexml="http://www.mulesoft.org/schema/mule/xml" xmlns:pattern="http://www.mulesoft.org/schema/mule/pattern" xmlns:core="http://www.mulesoft.org/schema/mule/core" xmlns:file="http://www.mulesoft.org/schema/mule/file" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mule-ss="http://www.mulesoft.org/schema/mule/spring-security" xmlns:ss="http://www.springframework.org/schema/security" version="CE-3.2.1" xsi:schemaLocation="...cut..."
<mule-ss:security-manager>  
    <mule-ss:delegate-security-provider name="memory-provider" delegate-ref="authenticationManager"/> 
</mule-ss:security-manager>
<spring:beans>
    <ss:authentication-manager alias="authenticationManager">  
        <ss:authentication-provider> 
            <ss:user-service id="userService"> 
                <ss:user name="ross" password="ross" authorities="ROLE_ADMIN"/>  
                <ss:user name="anon" password="anon" authorities="ROLE_ANON"/> 
            </ss:user-service> 
        </ss:authentication-provider> 
    </ss:authentication-manager>
</spring:beans>
<http:connector name="NoSessionConnector">
    <service-overrides sessionHandler="org.mule.session.NullSessionHandler" />
</http:connector>
<flow name="wfsFlow1" doc:name="wfsFlow1" processingStrategy="synchronous">
    <http:inbound-endpoint exchange-pattern="request-response" host="localhost" port="8081" path="wms" responseTimeout="10000000" doc:name="Geoserver OWS">
        <mule-ss:http-security-filter realm="mule-realm"/>
    </http:inbound-endpoint>
    <http:outbound-endpoint exchange-pattern="request-response" method="GET" address="http://www.wms.nrw.de/wms#[header:INBOUND:http.request]" encoding="UTF-8" disableTransportTransformer="true" responseTimeout="1000000" doc:name="Geoserver OWS"/>
</flow>
</mule>

I think the problem is the response from the WMS Service as byte array. I tried different repsonse transformers to transform from byte array to string or html response, but it didn't work.

I also tried the bridge pattern, but it wasn't providing the parameters with the GET Operation as i expected but by POST, which is not accepted by the underlying WMS Service.

I think my Use Case is pretty simple, but im trying to implement it since four weeks now. I did every sample Tutorial these vendors provided, but i wasn't able to set up a simple HTTP Parameter service with any kind of authentication.

Does anybody have any experiences with these products or would beso nice to answer me some specific questions on how to set up a HTTP Proxy with authentication on any of these products.

Many thanks!

Answer 1

Mule relies on Spring Security when it comes to authenticate and authorize people.

Configuring Security is the documentation entry point for dealing with security in Mule. You'll find there information on configuring Spring Security, securing components (like your HTTP bridge) and LDAP authentication.

By default Mule serializes its session into an HTTP header when performing outbound requests. This not only can be a security issue if the remote site is not trusted, but it can also lead to Bad Request issues because the serialized session yields a too large HTTP header.

Knowing that when a security context is present, the Mule Session becomes pretty big, this can cause problem. And indeed, using your config, I was receiving bad request errors from my remote test site! So I added the following to ensure Mule doesn't send its requests over HTTP:

<http:connector name="NoSessionConnector">
    <service-overrides sessionHandler="org.mule.session.NullSessionHandler" />
</http:connector>

Also I removed disableTransportTransformer="true" from your config because this can cause issues too.

Answer 2

David, your requirement is lengthy. Let me clarify some points on the WSO2 ESB so you can get started.

1. WSO2 ESB supports a variety of transports and content types not just SOAP. You may be most interested in the REST and probably JSON support. Links at here and here may help.

2. All WSO2 servers can be plugged into an external Directory service. Click here for instructions.

3. All your requirements can be covered. You can go through the comprehensive samples at this location to get a feel for what the ESB can do. Let me also point you to the articles at here, here, here, here and here that would help you with your requirements.

Hope this helps.