Implement Custom Policy Using Flow Designer

Author: Shahzeb Ali Khan


Policies enforce regulations to help manage security, control traffic, and improve API adoption. For example, a policy can control authentication, access, and service level agreements (SLAs). Anypoint Platform offers us many out-of-the-box policies which we can apply to our APIs. But sometimes we have some specific business requirements and to achieve those we develop a Custom Policy


The normal way of developing a custom policy is through writing the xml code manually as a mule policy does not allow using the flow designer. Now this has several drawbacks.

  • XML code is not readable
  • Complexity of writing the logic increases
  • Development time increases.

Now , there is a workaround to avoid writing everything in xml code and to be able to use flow designer to write the logic. To begin with creating a custom policy and setting up the settings.xml you can refer to these links:

Using Flow Designer to develop the policy

Once you have created and imported the policy in your anypoint studio, In your template.xml,

  1.  Keep the attributes, payload or any fields you fetch from the UI of the policy in separate variables.(Only if it’s required) 
  2. Now all you have to do is, in xml make a flow reference inside <http-policy:source> , and point to a flow.
  3. Now you can go to the flow designer and start creating flow with the same name which you referred to in flow-ref and implement the logic.
  4. You can store the result in a variable and after the flow-ref, you can validate the response and send a response from policy as usual.

  • If you want to use attributes, you will have to store it in a variable before flow-ref , otherwise it will evaluate to null in sub-flow.
  • Make sure your flow begins after </http-policy:proxy>.

  • You have to create the flow inside template.xml only. If you have multiple mule configuration xml files, it will fail at build. 
Use Case:

To authenticate our APIs, we will receive a JWT assertion in the headers. Our custom policy would decode the token , send an HTTP Request to the OAuth provider and then invoke a java method to verify the token based on whether we either allow the request or raise an error. Below is the step by step explanation:

  1. Create a folder in which you want to create your policy and open a command prompt in that folder. Once done, run the below code(modify it based on your requirement).
mvn -Parchetype-repository archetype:generate
-DarchetypeVersion=1.2.0  -DgroupId=7f149ad6-1c86-48d2-ae7d-4cbca9eb6059
-DartifactId=ValidateJWT  -Dversion=1.0.0-SNAPSHOT -Dpackage=mule-policy
  1. After we import the project to anypoint studio,we will configure 4 fields to be taken from the custom policy UI. In your project folder Goto <project_name>.yaml file and use the code below.
id: Validate JWT Token
name: Validate JWT Token
description: This policy would validate the JWT token received.
category: Custom
type: custom
resourceLevelSupported: true
encryptionSupported: false
standalone: true
requiredCharacteristics: []
providedCharacteristics: []
 – propertyName: clientIds
   name: Subjects
   description: A comma-separated list of required Client Ids
   type: string
   optional: false
   sensitive: false
   allowMultiple: false
 – propertyName: accountServerUrl
   name: Issuer
   type: string
   optional: false
   sensitive: false
   allowMultiple: false
 – propertyName: expiryTime
   name: Expiry Time
   type: int
   optional: false
   sensitive: false
   allowMultiple: false
   defaultValue: 0
 – propertyName: scopes
   name: Scopes
   type: string
   optional: true
   sensitive: false
   allowMultiple: false

Now we are going to use the trick mentioned above. We would save whatever we require in some variables and create a flow-ref inside .

  1. We can now go to the message flow. 
    1. Drag and drop a flow and give it the same name you used in flow reference.
    2. You can now start with implementing the business logic.
    3. In the end of the flow make sure you store the final response in a variable.

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.