Author: Shahzeb Ali Khan
Introduction
Policies enforce regulations to help manage security, control traffic, and improve API adoption. For example, a policy can control authentication, access, and service level agreements (SLAs). Anypoint Platform offers us many out-of-the-box policies which we can apply to our APIs. But sometimes we have some specific business requirements and to achieve those we develop a Custom Policy.
Purpose
The normal way of developing a custom policy is through writing the xml code manually as a mule policy does not allow using the flow designer. Now this has several drawbacks.
- XML code is not readable
- Complexity of writing the logic increases
- Development time increases.
Now , there is a workaround to avoid writing everything in xml code and to be able to use flow designer to write the logic. To begin with creating a custom policy and setting up the settings.xml you can refer to these links:
- Custom Policy in Mule 4 – Apisero
- Publishing a Mule 4 Custom Policy | MuleSoft Documentation
Using Flow Designer to develop the policy
Once you have created and imported the policy in your anypoint studio, In your template.xml,
- Â Keep the attributes, payload or any fields you fetch from the UI of the policy in separate variables.(Only if it’s required)Â
- Now all you have to do is, in xml make a flow reference inside <http-policy:source> , and point to a flow.
- Now you can go to the flow designer and start creating flow with the same name which you referred to in flow-ref and implement the logic.
- You can store the result in a variable and after the flow-ref, you can validate the response and send a response from policy as usual.
Notes:
- If you want to use attributes, you will have to store it in a variable before flow-ref , otherwise it will evaluate to null in sub-flow.
- Make sure your flow begins after </http-policy:proxy>.
- You have to create the flow inside template.xml only. If you have multiple mule configuration xml files, it will fail at build.
Use Case:
To authenticate our APIs, we will receive a JWT assertion in the headers. Our custom policy would decode the token , send an HTTP Request to the OAuth provider and then invoke a java method to verify the token based on whether we either allow the request or raise an error. Below is the step by step explanation:
- Create a folder in which you want to create your policy and open a command prompt in that folder. Once done, run the below code(modify it based on your requirement).
mvn -Parchetype-repository archetype:generate -DarchetypeGroupId=org.mule.tools -DarchetypeArtifactId=api-gateway-custom-policy-archetype -DarchetypeVersion=1.2.0Â -DgroupId=7f149ad6-1c86-48d2-ae7d-4cbca9eb6059 -DartifactId=ValidateJWTÂ -Dversion=1.0.0-SNAPSHOT -Dpackage=mule-policy |
- After we import the project to anypoint studio,we will configure 4 fields to be taken from the custom policy UI. In your project folder Goto <project_name>.yaml file and use the code below.
id: Validate JWT Token name: Validate JWT Token description: This policy would validate the JWT token received. category: Custom type: custom resourceLevelSupported: true encryptionSupported: false standalone: true requiredCharacteristics: [] providedCharacteristics: [] configuration:  – propertyName: clientIds    name: Subjects    description: A comma-separated list of required Client Ids    type: string    optional: false    sensitive: false    allowMultiple: false  – propertyName: accountServerUrl    name: Issuer    type: string    optional: false    sensitive: false    allowMultiple: false  – propertyName: expiryTime    name: Expiry Time    type: int    optional: false    sensitive: false    allowMultiple: false    defaultValue: 0  – propertyName: scopes    name: Scopes    type: string    optional: true    sensitive: false    allowMultiple: false |
Now we are going to use the trick mentioned above. We would save whatever we require in some variables and create a flow-ref inside .
- We can now go to the message flow.
- Drag and drop a flow and give it the same name you used in flow reference.
- You can now start with implementing the business logic.
- In the end of the flow make sure you store the final response in a variable.