Disable Basic Authentication

Question

I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher . I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.

I know this will break replication, but I'm just curious on how to do it. It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on. Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

joerghoh · Accepted Answer

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

joerghoh · Answer

You should disable basic auth on publish if you want to break replication :-)Jölrg

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded