I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher . I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.
I know this will break replication, but I'm just curious on how to do it. It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on. Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.
Solved! Go to Solution.
Views
Replies
Total Likes
Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.
The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.
Jörg
Views
Replies
Total Likes
You should disable basic auth on publish if you want to break replication :-)
Jölrg
Right, I know. I was just wondering if it's feasible to disable. I am doing some security testing.
Views
Replies
Total Likes
Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.
The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.
Jörg
Views
Replies
Total Likes
Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration. That effectively prevents basic auth from the outside world.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies