Skip to content

Wallarm Connector for MuleSoft

MuleSoft is an integration platform that enables seamless connectivity and data integration between services with an API gateway serving as the entry point for client applications to access APIs. Wallarm can act as a connector to secure APIs running on MuleSoft.

To use Wallarm as a connector for MuleSoft, you need to deploy the Wallarm node externally and apply the Wallarm-provided policy in MuleSoft to route traffic to the Wallarm node for analysis.

The Wallarm connector for MuleSoft supports only in-line traffic analysis:

Mulesoft with Wallarm policy

Use cases

Among all supported Wallarm deployment options, this solution is the recommended one for securing APIs deployed on the MuleSoft Anypoint platform with only one policy.

Limitations

Requirements

To proceed with the deployment, ensure that you meet the following requirements:

  • Understanding of the Mulesoft platform.

  • Docker installed and running on your host system.

  • Maven (mvn).

  • You have been assigned the Mulesoft Exchange contributor's role, enabling you to upload artifacts to your organization's Mulesoft Anypoint Platform account.

  • Your Mulesoft Exchange credentials (username and password) are specified in the <MAVEN_DIRECTORY>/conf/settings.xml file.

  • Your application and API are linked and running on Mulesoft.

  • Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud.

Deployment

1. Deploy a Wallarm node

The Wallarm node is a core component of the Wallarm platform that you need to deploy. It inspects incoming traffic, detects malicious activities, and can be configured to mitigate threats.

You can deploy it either hosted by Wallarm or in your own infrastructure, depending on the level of control you require.

To deploy a Wallarm-hosted node for the connector, follow the instructions.

Choose an artifact for a self-hosted node deployment and follow the attached instructions:

2. Obtain and upload the Wallarm policy to Mulesoft Exchange

To acquire and upload the Wallarm policy to Mulesoft Exchange, follow these steps:

  1. Proceed to Wallarm Console → Security EdgeConnectorsDownload code bundle and download a code bundle for your platform.

    If running a self-hosted node, contact sales@wallarm.com to get the code bundle.

  2. Extract the policy archive.

  3. Within the pom.xml file, specify the following:

    1. Navigate to Mulesoft Anypoint Platform → Access ManagementBusiness Groups → choose your organization → copy its ID.
    2. Specify the copied group ID in the groupId parameter of the pom.xml file:
    <?xml version="1.0" encoding="UTF-8"?>
        <groupId>BUSINESS_GROUP_ID</groupId>
        <artifactId>wallarm</artifactId>
    
    1. Navigate to Mulesoft Anypoint Platform → Access ManagementBusiness Groups → choose your organization → copy its ID.
    2. Specify the copied group ID in the groupId parameter of the pom.xml file.
    3. For Mulesoft instances hosted in specific regions, update the pom.xml file to use the corresponding regional URLs. For example, for a European instance of Mulesoft:
    <?xml version="1.0" encoding="UTF-8"?>
        <groupId>BUSINESS_GROUP_ID</groupId>
        <artifactId>wallarm</artifactId>
    
        <properties>
            <mule.maven.plugin.version>4.1.2</mule.maven.plugin.version>
            <exchange.url>https://maven.eu1.anypoint.mulesoft.com/api/v1/organizations/${project.groupId}/maven</exchange.url>
        </properties>
    
        <distributionManagement>
            <repository>
                <id>anypoint-exchange-v3</id>
                <name>Anypoint Exchange</name>
                <url>https://maven.eu1.anypoint.mulesoft.com/api/v3/organizations/${project.groupId}/maven
                </url>
                <layout>default</layout>
            </repository>
        </distributionManagement>
    
        <repositories>
            <repository>
                <id>anypoint-exchange-v3</id>
                <name>Anypoint Exchange</name>
                <url>https://maven.eu1.anypoint.mulesoft.com/api/v3/maven</url>
                <layout>default</layout>
            </repository>
        </repositories>
    
  4. Create the conf directory and a settings.xml file inside it with the following content:

    Replace username and password with your actual credentials:

    <?xml version="1.0" encoding="UTF-8"?>
    <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <servers>
        <server>
            <id>anypoint-exchange-v3</id>
            <username>myusername</username>
            <password>mypassword</password>
        </server>
    </servers>
    </settings>
    

    Generate and specify your token in the password parameter:

    <?xml version="1.0" encoding="UTF-8"?>
    <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <servers>
        <server>
            <id>anypoint-exchange-v3</id>
            <username>~~~Token~~~</username>
            <password>01234567-89ab-cdef-0123-456789abcdef</password>
        </server>
    </servers>
    </settings>
    
  5. Deploy the policy to Mulesoft using the following command:

    mvn clean deploy -s conf/settings.xml
    

Your custom policy is now available in your Mulesoft Anypoint Platform Exchange.

Mulesoft with Wallarm policy

3. Attach the Wallarm policy to your API

You can attach the Wallarm policy to either all APIs or an individual API.

Attaching the policy to all APIs

To apply the Wallarm policy to all APIs using Mulesoft's Automated policy option, follow these steps:

  1. In your Anypoint Platform, navigate to API ManagerAutomated Policies.

  2. Click Add automated policy and select the Wallarm policy from Exchange.

  3. Specify an address of the Wallarm node instance including http:// or https://.

  4. If necessary, modify other parameters.

  5. Apply the policy.

Wallarm policy

Attaching the policy to an individual API

To secure an individual API with the Wallarm policy, follow these steps:

  1. In your Anypoint Platform, navigate to API Manager and select the desired API.

  2. Navigate to PoliciesAdd policy and select the Wallarm policy.

  3. Specify an address of the Wallarm node instance including http:// or https://.

  4. If necessary, modify other parameters.

  5. Apply the policy.

Wallarm policy

Testing

To test the functionality of the deployed policy, follow these steps:

  1. Send the request with the test Path Traversal attack to your API:

    curl http://<YOUR_APP_DOMAIN>/etc/passwd
    
  2. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

    Attacks in the interface

    If the Wallarm node mode is set to blocking and the traffic flows in-line, the request will also be blocked.

Updating and uninstalling

To update the deployed Wallarm policy, follow these steps:

  1. Remove the currently deployed Wallarm policy using the Remove policy option in either the automated policy list or the list of policies applied to an individual API.

  2. Add the new policy following the steps 2-3 above.

  3. Restart attached applications in the Runtime Manager to apply new policy.

To uninstall the policy, simply perform the first step of the update process.

Troubleshooting

If the solution does not perform as expected, refer to the logs of your API by accessing Mulesoft Anypoint Platform → Runtime Manager → your application → Logs.

You can also verify whether the policy is applied to the API by navigating to your API in the API Manager and reviewing the policies applied on the Policies tab. For automated policies, you can use the See covered APIs option to view the APIs covered and the reasons for any exclusions.