Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Disable Basic Authentication

Avatar

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile
25793466
Level 2

26-04-2018

I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher .  I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.

I know this will break replication, but I'm just curious on how to do it.  It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on.  Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,114 likes

Total Posts

3,148 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,114 likes

Total Posts

3,148 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

01-05-2018

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

Answers (3)

Answers (3)

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,114 likes

Total Posts

3,148 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,114 likes

Total Posts

3,148 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

27-04-2018

You should disable basic auth on publish if you want to break replication 🙂

Jölrg

Avatar

Avatar
Give Back 5
Employee
Andrew_Khoury
Employee

Likes

75 likes

Total Posts

93 posts

Correct Reply

33 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile

Avatar
Give Back 5
Employee
Andrew_Khoury
Employee

Likes

75 likes

Total Posts

93 posts

Correct Reply

33 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile
Andrew_Khoury
Employee

16-04-2020

Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration.  That effectively prevents basic auth from the outside world.

Avatar

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile
25793466
Level 2

30-04-2018

Right, I know.  I was just wondering if it's feasible to disable.  I am doing some security testing.