Access Control
When using Synapse there are three different areas of access control:
-
Access to the Synapse API or user interface
-
Access to Axon Server for sending messages
-
Access to the handlers for receiving messages
Access to the Axon Synapse API
To control access to the Synapse API for registering handlers, the administrator must enable access control through the synapse.auth.enabled
property.
If access control is on, all the APIs that work on Synapse configuration expect clients to provide either a valid username and password combination or a valid token. A valid username/password combination is such that exists in Axon Server so it can verify the user has the correct roles for the request. Same for the token, it must exist in Axon Server with the required role.
The required roles for the specific request types are:
GET |
|
other |
|
If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token
property for the GET operations, and the axoniq.axonserver.accesscontrol.admin-token
property for the other requests.
Sending messages
When a client sends a request to Synapse, it needs to provide a token to authenticate itself. The client must provide this token through the X-API-KEY
header. The token must be valid in Axon Server, for an application to execute the request type in the specified context.
If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token
property.
Receiving messages
When you register a request handler in Synapse, you can specify two types of tokens:
-
client token
-
server token
The client token is the token that Synapse passes to the request handler. This way you can protect the request handler from illegal access. Axon Synapse passes the client token to the request handler as a Bearer
token in the Authentication
header.
Axon Server verifies the server token on requests to register the handler. It needs to be a valid application token, with a role that allows registering that type of handler. For instance, to register a command handler, you need the token of an application to contain one of the following roles in Axon Server: SUBSCRIBE_COMMAND_HANDLER
, WRITE
, or USE_CONTEXT
.
If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token
property.