WS Security in Mule


Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.
If a web service is exposed to external world, the data it carries can comes under the threat to several potential security vulnerabilities.
So, in order to protect our web service we require Web Services Security .

WS-Security describes 3 main mechanisms:

  • How to sign SOAP messages to assure integrity. Signed messages also provide non-repudiation.
  • How to encrypt SOAP messages to assure confidentiality.
  • How to attach security tokens to ascertain the sender’s identity.

WS-Security incorporates security features in the header of a SOAP message.
It works in application layer.

In this example we will be implementing a simple username and password in the WS Security format.

So, we will expose a SOAP web service that will implement WS-Security :-



To expose a web service with security in Mule we need spring security in our flow :-

UntitledAnd our Mule flow will be :-


Following will be our flow in graphical mode ready with security :-


Testing our application

Now, we will be testing our secured web service in SOAPUI :-


You can see here, we are testing the service by giving username and password in the header section of SOAP request and I am getting the response back from the service.


So, you can see WS-Security offers confidentiality and integrity protection from the creation of the message to it’s consumption.
WS-Security offers more protection than HTTPS would, and SOAP offers a richer API than any other security .
Thus we can say WS-Security has measures for authentication, integrity, confidentiality and non-repudiation.

That’s it !!! I hope you enjoyed the post.



Anirban Sen Chowdhary

Anirban Sen Chowdhary is an information technology professional currently working on Java/J2ee, Esb and Integration platform. For more information, please visit and you can also follow

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>