Disable Basic Authentication | Adobe Higher Education
Skip to main content
2
25793466
Level 2
April 26, 2018
解決済み

Disable Basic Authentication

  • April 26, 2018
  • 4 の返信
  • 5597 ビュー

I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher .  I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.

I know this will break replication, but I'm just curious on how to do it.  It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on.  Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

このトピックへの返信は締め切られました。
ベストアンサー joerghoh

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

4 の返信

joerghoh
Adobe Employee
joerghohAdobe Employee
Adobe Employee
April 27, 2018

You should disable basic auth on publish if you want to break replication :-)

Jölrg

    2
    25793466作成者
    Level 2
    April 30, 2018

    Right, I know.  I was just wondering if it's feasible to disable.  I am doing some security testing.

    joerghoh
    Adobe Employee
    joerghohAdobe Employee回答
    Adobe Employee
    May 1, 2018

    Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

    The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

    Jörg

    [1] Security Checklist

    akhoury
    Adobe Employee
    akhouryAdobe Employee
    Adobe Employee
    April 16, 2020

    Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration.  That effectively prevents basic auth from the outside world.

    契約条件Accessibility statement

    Loading footer...