Internal Component Security (RBAC & Resource-Level Access)
The security settings in 1Gateway are configured in the application properties or environmental variables, this layer specifically adds granular access control to features like webhooks, queues, and MongoDB. These settings are only applied if system-level authentication is enabled.
authenticate-queue
Purpose:
Restricts queue access based on the user's identity.
Values:
false: Authenticated users can access all queues.strict: Access only to queues with names matching the username.
Use Case:
Limit Webhook-App1 to queue Webhook-App1 only.
Default: false
authenticate-mongodb
Purpose:
Restricts access to MongoDB collections via the /api/v4/mongo endpoint.
Values:
false: Authenticated users can access all collections.strict: Access only to collections matching the user's name.
Use Case:
Limit Operator-App1 to operate only on the Operator-App1 collection.
Default: false
authenticate-send
Purpose:
Controls access to the /send endpoint for webhook messaging.
Values:
false: Any user with the webhook role can access any webhook.strict: The user must have the webhook role and the username must match the webhook parameter in the request.
Default: false
authenticate-send-no-auth
Purpose:
Secures or disables the /sendNoAuth endpoint.
Values:
false: Endpoint is disabled (returns 404).true: Public access with no token or authentication required.token: Requires a valid API key assigned to a user.strict: API key must be valid and belong to a user whose name matches the webhook parameter.
Default: false
Example Combined Configuration (application.properties)
# SYSTEM-LEVEL SECURITY
authenticate=oauth
authorization-url=https://auth.example.com/oauth2/authorize
token-url=https://auth.example.com/oauth2/token
logout-url=https://auth.example.com/logout
client-id=1gateway-ui
# INTERNAL ACCESS CONTROL
application.authenticate-queue=strict
application.authenticate-mongodb=strict
application.authenticate-send=strict
application.authenticate-send-no-auth=token