Mule 3.7 HTTP basic security filter error when calling local service

Question

I am calling one mule flow from another using HTTP with basic authentication using the Spring Security Manager. I am using Mule 3.7 and configured everything according to the documentation at:

https://docs.mulesoft.com/mule-user-guide/v/3.7/configuring-the-spring-security-manager

<spring:beans>
    <ss:authentication-manager alias="authenticationManager">
        <ss:authentication-provider>
            <ss:user-service id="userService">
                <ss:user name="${security.user.id}" password="${security.user.password}" authorities="ROLE_ADMIN" />
            </ss:user-service>
        </ss:authentication-provider>
    </ss:authentication-manager>
</spring:beans>

<mule-ss:security-manager>
    <mule-ss:delegate-security-provider name="memory-dao" delegate-ref="authenticationManager" />
</mule-ss:security-manager>

<http:listener-config name="httpLocalListener" host="${local.host}" port="${local.port}" 
    basePath="${local.path}" doc:name="HTTP Local Listener" connectionIdleTimeout="${local.timeout}"/>

<http:request-config name="httpLocalRequest" doc:name="HTTP Local Configuration" responseTimeout="${local.timeout}" 
    basePath="${local.path}" host="${local.host}" port="${local.port}">
    <http:basic-authentication username="${security.user.id}" password="${security.user.password}"/>
</http:request-config>

<flow name="ServiceFlow1" processingStrategy="synchronous">
    <http:listener config-ref="httpLocalListener" path="/status/*" doc:name="HTTP" allowedMethods="GET"/>
    <http:basic-security-filter realm="${security.filter.realm}"/>
    <!-- Omitted code -->
    <http:request config-ref="httpLocalRequest" path="/ping/txt?siteId=#[sessionVars['siteId']]" method="GET" doc:name="HTTP" parseResponse="false">
        <http:success-status-code-validator values="0..599"/>
    </http:request>
</flow>

<flow name="ServiceFlow2" processingStrategy="synchronous">
    <http:listener config-ref="httpLocalListener" path="/ping/txt" doc:name="HTTP" allowedMethods="GET"/>
    <http:basic-security-filter realm="${security.filter.realm}"/>
    <!-- Omitted code -->
</flow>

I get the following error (I removed '//' from http links due to stackoverflow requirements):

ERROR 2016-08-19 10:28:09,539 [[Service].httpLocalListener.worker.02] org.mule.exception.DefaultMessagingExceptionStrategy:

---

Message : Registered authentication is set to org.mule.transport.http.filters.HttpBasicAuthenticationFilter but there was no security context on the session. Authentication denied on endpoint http:0.0.0.0:8081/services/ping/txt. Message payload is of type: NullPayload Type : org.mule.api.security.UnauthorisedException Code : MULE_ERROR--2 JavaDoc : http:www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/security/UnauthorisedException.html Payload : {NullPayload}

---

Exception stack is: 1. Registered authentication is set to org.mule.transport.http.filters.HttpBasicAuthenticationFilter but there was no security context on the session. Authentication denied on endpoint http:0.0.0.0:8081/services/ping/txt. Message payload is of type: NullPayload (org.mule.api.security.UnauthorisedException) org.mule.transport.http.filters.HttpBasicAuthenticationFilter:156 (http:www.mulesoft.org/docs/site/current3/apidocs/org/mule/api/security/UnauthorisedException.html)

---

Any help would be appreciated! Thanks, Dennis

Answer 1

I had the same kind of issue once, but that issue disappeared when I invoked the same URL from Postman where we hit the service along with credentials for basic authentication. The same doesn't work with a normal browser based test because when you invoke the service, it expects the credentials for the basic authentication and then given a pop-up for the same in next instance.

HTTPs basic auth using Postman Client

AM not sure whether this helps or not because my explanation is a bit immature, but might help you get a better idea on the implementation. only thing I can say is, it will throw an error but will work as desired.