Access Control

When using Synapse there are three different areas of access control:

  1. Access to the Synapse API or user interface

  2. Access to Axon Server for sending messages

  3. Access to the handlers for receiving messages

Access to the Axon Synapse API

To control access to the Synapse API for registering handlers, the administrator must enable access control through the synapse.auth.enabled property.

If access control is on, all the APIs that work on Synapse configuration expect clients to provide either a valid username and password combination or a valid token. A valid username/password combination is such that exists in Axon Server so it can verify the user has the correct roles for the request. Same for the token, it must exist in Axon Server with the required role.

The required roles for the specific request types are:

GET

ADMIN@_admin, VIEW_CONFIGURATION@_admin (to get information from any context), ADMIN@context, USE_CONTEXT@context (to get information from a specific context)

other

ADMIN@_admin, ADMIN@context

If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token property for the GET operations, and the axoniq.axonserver.accesscontrol.admin-token property for the other requests.

Sending messages

When a client sends a request to Synapse, it needs to provide a token to authenticate itself. The client must provide this token through the X-API-KEY header. The token must be valid in Axon Server, for an application to execute the request type in the specified context.

If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token property.

Receiving messages

When you register a request handler in Synapse, you can specify two types of tokens:

  • client token

  • server token

The client token is the token that Synapse passes to the request handler. This way you can protect the request handler from illegal access. Axon Synapse passes the client token to the request handler as a Bearer token in the Authentication header.

Axon Server verifies the server token on requests to register the handler. It needs to be a valid application token, with a role that allows registering that type of handler. For instance, to register a command handler, you need the token of an application to contain one of the following roles in Axon Server: SUBSCRIBE_COMMAND_HANDLER, WRITE, or USE_CONTEXT.

If you are using Axon Synapse in combination with Axon Server Standard edition the token must be the token specified in the Axon Server axoniq.axonserver.accesscontrol.token property.