Pre-requisites

Anypoint Studio:

• Anypoint Studio should be setup.

Salesforce:

• We need to have a Salesforce developer account.
• Create a Salesforce custom object with some fields, as per the requirement.
• Click on Create in the home section, which is on the right-hand side. Then click on custom object, then fill in the name of the custom object. Then click on fields and relationship, then select the fields with the respective type of information.

• In this scenario, we’ll be having 3 fields i.e. carName__c, carPrice__c, and carType__c, all the fields have the text as the type of information stored in it.

• We need to keep the security token handy for that, click on profile and then click on setting which is on the right-hand top corner of the screen and type security token in the quick find section, and click on reset security token.
  • Note: Once you have a security Token you can reuse the same as if the token is again reset the integrations that rely up on the old token don’t work if a new token is created unless it is changed.
• The security token will be sent to the registered mailId.

XML Threat Protection

• Policies are some sets of rules applied on top of our API to enforce security, govern the behaviour, and manage traffic.
• This policy is an essential security control that helps to protect the APIs from XML-based attacks, reduce the risk of application downtime, and ensure the safe processing of XML input.
• It is one of the standard policies that enforces the XML constraints at the gateway level.
• Following are the properties that need to be configured for XML protection policy:
  • Maximum Node Depth:
    • It specifies the maximum number of depths allowed for the XML body.
    • For Example, if the value for this is set as 2. be if exceeded, then error will be thrown.

• • Maximum Attribute Count per Element:
    • It specifies the maximum number of attributes is allowed.
    • For Example, if the value for this is set as 1 and if exceeded, then an error will be thrown.

• • Maximum Child Count:
    • It specifies the maximum number of child counts allowed.
    • For Example, if the value for this is set as 3 and if exceeded, then an error will be thrown.

• • Maximum Text Length:
    • It specifies the maximum length of value allowed.
    • For Example, if the value for this is set as 10 and if exceeded, then an error will be thrown.

• • Maximum Attribute Length:
    • It specifies the maximum length of attributes allowed.
    • For Example, if the value for this is set as 5 and if exceeded, then an error will be thrown.

• • Maximum Comment Length:
    • It specifies the maximum length of comment that is allowed.
    • For Example, if the value for this is set as 1 and if exceeded, then an error will be thrown.

(*Note: If any of these conditions are violated the API will throw 400 Bad Requests, with a message of the specific error message, whichever condition is violated)

• Let’s understand this by applying this policy. For this instance, we’ll be creating a proxy application that should be able to create car records in Salesforce and applying an XML threat protection policy on top of it.

The XML accepted format should be :

<?xml version=’1.0′ encoding=’UTF-8′?>

<Cars>

<brand internalId=”123″>Toyota</brand>

<models>

<name>Camry</name>

<type>Hybrid</type>

<price>60L</price>

</models>

<models>

<name>Century</name>

<type>Hybrid</type>

<price>1.5Cr</price>

</models>

</Cars>

Steps:

1. To begin, a new Mule project needs to be created. Then, a HTTP listener component dragged and dropped into the project from the HTTP module. Configure the listener and set the host to All interface (0.0.0.0), port number as 8081. Set the path as /Cars.

1. Following the addition of the listener component, include two loggers to mark the beginning and the end of the flow. By logging the message “Start of flow” ++ (flow.name as String), in expression mode.

1. Now we’ll add a create component of the Salesforce module and configure the connector configuration. Here, we’ll be making of Basic Authentication connection type.

1. Next, we’ll add the transform the message to map the fields.

1. Then, we’ll add a transform message to transform the response to XML.

1. Next, we’ll deploy the application to Cloud Hub 2.0.

1. Once, after the application is deployed, copy the public endpoint and navigate to the API manager. Then, click on Add new API.

1. Next, select the mule gateway for gateway and proxy endpoint for the proxy type.

1. Next, provide the name for the proxy application and click on next. For this instance, the name given is proxy-app.

1. The, select the asset type as HTTP API under create new API and name the asset. For now, we’ll name the asset as proxy.

1. Next, Select the protocol as HTTP and add the base path if you have any but, in this case, we don’t have a base path so, we leave it empty. Then, click on next.

1. Next, add the public endpoint with resource for the upstream URL and hit on next. Then, review the changes and then click on save and deploy.

1. Then, we’ll be adding the XML threat protection policy on top of our proxy API. For that, click on policies and select XML threat protection, then next.

1. Next, we’ll configure the conditions for the XML body.

1. Then, we’ll verify the response with response.

Protect your APIs from XML threats and ensure smooth data flow. Connect with TGH to implement MuleSoft XML Threat Protection Policy effortlessly.