LDAP Security in Mule

mule-http-authc-authz.xml

<http:inbound-endpoint 
  doc:name="HTTP" 
  exchange-pattern="one-way"
  connector-ref="Default_HTTP_Connector" 
  host="localhost" 
  port="8080"		        
  path="test_http_inbound_endpoint_path/testHttpAuth">
  <spring-security:http-security-filter
    realm="Enter valid user credentials to access the web service" 
    securityProviders="SpringSecurityProviderUT"/>
  <spring-security:authorization-filter 
    requiredAuthorities="ROLE_ADMIN" />
</http:inbound-endpoint>

mule-http-authc.xml

<http:inbound-endpoint 
  doc:name="HTTP" 
  exchange-pattern="one-way"
  connector-ref="Default_HTTP_Connector" 
  host="localhost" 
  port="8080"		        
  path="test_http_inbound_endpoint_path/testHttpAuth">
  <spring-security:http-security-filter 
    realm="Enter valid user credentials to access the web service" 
    securityProviders="SpringSecurityProviderUT"/>
<http:inbound-endpoint>

mule-spring-security.xml

<!-- Mule's Spring Security Manager -->
<mule-ss:security-manager>
  <mule-ss:delegate-security-provider name="SpringSecurityProvider" delegate-ref="SpringAuthManager" />
  <mule-ss:delegate-security-provider name="SpringSecurityProviderUT" delegate-ref="SpringAuthManagerUT" />
</mule-ss:security-manager>

spring-security-ldap.xml

<!-- Spring Security LDAP Server bean -->
<ss:ldap-server id="LdapServer" url="ldap://ldap.yourorg.com.au:389"/>

<!-- Spring Authentication Manager -->
<ss:authentication-manager alias="SpringAuthManager">
  <ss:ldap-authentication-provider 
    server-ref="LdapServer" 
    user-search-filter="(uid={0})" 
    user-search-base="ou=People,dc=YourOrg,dc=com,dc=au" 
    group-search-base="ou=Accessgroups,dc=YourOrg,dc=com,dc=au" 
    group-search-filter="(memberUid={0})" 
    group-role-attribute="cn"
  />	
</ss:authentication-manager>

unit-test-security-provider.xml

<ss:user-service id="userServiceUT">
  <!-- Only users with id FOO and password BAR belonging to group “ROLE_ADMIN” would be allowed access -->
  <ss:user 
    name="FOO" 
    password="BAR" 
    authorities="ROLE_ADMIN"/>
</ss:user-service>
		
<spring:bean id="SpringAuthManagerUT" class="org.springframework.security.authentication.ProviderManager">
  <spring:constructor-arg>
    <spring:list>
      <spring:bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <spring:property name="userDetailsService" ref="userServiceUT"/>
      </spring:bean>
    </spring:list>
  </spring:constructor-arg>
</spring:bean>

UserACLExtractor.java

import org.mule.api.MuleEventContext;
import org.mule.api.lifecycle.Callable;
import org.mule.api.transport.PropertyScope;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl;

public class UserACLExtractor implements Callable {

  private static final Logger log = LoggerFactory.getLogger(UserACLExtractor.class);

  @Override
  public Object onCall(MuleEventContext eventContext) throws Exception {
    String username = null;
    String userACL = null;

    // Get access to the userPrincipal
    Object userPrincipal = eventContext.getSession().getSecurityContext().getAuthentication().getPrincipal();
		
    if (userPrincipal instanceof LdapUserDetailsImpl) {
      // Get the username
      username = ((LdapUserDetailsImpl) userPrincipal).getUsername();

      // Risky business to fetch the password
      String password = ((LdapUserDetailsImpl) userPrincipal).getPassword();

      // Get the ACL or list of groups the User belongs to. This is a comma separated list of .
      userACL = ((LdapUserDetailsImpl) userPrincipal).getAuthorities().toString();
    }

    log.debug("USER - " + username);
    log.debug("GRANTED AUTHORITIES - " + userACL);
    eventContext.getMessage().setProperty("http.request.inbound.user.name", username, PropertyScope.SESSION);
    eventContext.getMessage().setProperty("http.request.inbound.user.acl", userACL.split(','), PropertyScope.SESSION);

    return eventContext.getMessage();
  }
}