コミュニティアチーブメントバーを展開する。

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

この会話は、活動がないためロックされています。新しい投稿を作成してください。

解決済み

Disable Basic Authentication

Avatar

Level 2
Level 2
2018/04/26 10:29:07 AM

I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher .  I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.

I know this will break replication, but I'm just curious on how to do it.  It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on.  Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

表示

5.5K

返信

4
ログインしてこのコンテンツに「いいね!」する

いいね!の合計

翻訳
翻訳
1 受け入れられたソリューション

Avatar

正解者
Employee Advisor
Employee Advisor
2018/05/01 9:45:47 AM

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

元の投稿で解決策を見る

表示

3.7K

返信

0
ログインしてこのコンテンツに「いいね!」する

いいね!の合計

翻訳
翻訳
返信にジャンプ
4 返信

Avatar

Employee Advisor
Employee Advisor
2018/04/27 8:53:38 AM

You should disable basic auth on publish if you want to break replication 🙂

Jölrg

表示

3.7K

返信

0
ログインしてこのコンテンツに「いいね!」する

いいね!の合計

翻訳
翻訳

Avatar

Level 2
Level 2
2018/04/30 8:57:19 AM

Right, I know.  I was just wondering if it's feasible to disable.  I am doing some security testing.

表示

4.0K

返信

0
ログインしてこのコンテンツに「いいね!」する

いいね!の合計

翻訳
翻訳

Avatar

正解者
Employee Advisor
Employee Advisor
2018/05/01 9:45:47 AM

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

表示

3.7K

返信

0
ログインしてこのコンテンツに「いいね!」する

いいね!の合計

翻訳
翻訳
返信にジャンプ

Avatar

Employee
Employee
2020/04/16 10:53:21 AM

Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration.  That effectively prevents basic auth from the outside world.

表示

4.6K

返信

0
ログインしてこのコンテンツに「いいね!」する

いいね!の合計

翻訳
翻訳
関連する会話
AEMaaCS - 535 authentication failed error when sending emails using mailgun host configuration Solved

表示

261

いいね!

0

返信

4
Request for Guidance: Implementing OAuth2 Authentication in AEMaaCS with Sample Code Solved

表示

376

いいね!

0

返信

2
AEMAACS custom authentication handler without user creation Solved

表示

244

いいね!

0

返信

3
Disable .html extension check in AEM linkchecker Solved

表示

283

いいね!

2

返信

1
SAML Authentication Redirect to IDP URL Solved

表示

844

いいね!

0

返信

6