Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Disable Basic Authentication

25793466
Level 2
Level 2

I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher .  I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.

I know this will break replication, but I'm just curious on how to do it.  It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on.  Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

1 Accepted Solution
Jörg_Hoh
Correct answer by
Employee
Employee

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

View solution in original post

0 Replies
Jörg_Hoh
Employee
Employee

You should disable basic auth on publish if you want to break replication 🙂

Jölrg

25793466
Level 2
Level 2

Right, I know.  I was just wondering if it's feasible to disable.  I am doing some security testing.

Jörg_Hoh
Correct answer by
Employee
Employee

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

Andrew_Khoury
Employee
Employee

Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration.  That effectively prevents basic auth from the outside world.