Disable Basic Authentication

Avatar

Avatar

25793466

Avatar

25793466

25793466

26-04-2018

I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher .  I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.

I know this will break replication, but I'm just curious on how to do it.  It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on.  Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

991

Correct Reply

1.0K

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

991

Correct Reply

1.0K
Jörg_Hoh
Employee

01-05-2018

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

Answers (3)

Answers (3)

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

991

Correct Reply

1.0K

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

991

Correct Reply

1.0K
Jörg_Hoh
Employee

27-04-2018

You should disable basic auth on publish if you want to break replication 🙂

Jölrg

Avatar

Avatar

Andrew_Khoury

Employee

Avatar

Andrew_Khoury

Employee

Andrew_Khoury
Employee

16-04-2020

Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration.  That effectively prevents basic auth from the outside world.

Avatar

Avatar

25793466

Avatar

25793466

25793466

30-04-2018

Right, I know.  I was just wondering if it's feasible to disable.  I am doing some security testing.