Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Disable Basic Authentication

Avatar

Level 2
Level 2
4/26/18 10:29:07 AM

I want to disable basic authentication and ran across this thread: How to make CQ5 working with enabled basic http authentication dispatcher .  I didn't get any hits, maybe because the thread was so old, so I'll post here as a new topic.

I know this will break replication, but I'm just curious on how to do it.  It appears that I can set HTTP Basic Authentication on http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuth enticator to Disabled, but that doesn't seem to work on several AEM 6.2 instances I have tested on.  Replication is still working and I can pass the basic authentication headers to the admin UI and it logs me in.

Views

4.7K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
5/1/18 9:45:47 AM

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

View solution in original post

Views

3.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Employee Advisor
Employee Advisor
4/27/18 8:53:38 AM

You should disable basic auth on publish if you want to break replication :-)

Jölrg

Views

3.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
4/30/18 8:57:19 AM

Right, I know.  I was just wondering if it's feasible to disable.  I am doing some security testing.

Views

3.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
5/1/18 9:45:47 AM

Hm, I would not do it. You should do security testing against a hardened publish instance (with dispatcher in front of it), following the AEM security checklist (see [1]). That's the typical threat scenario.

The /bin/receive servlet is normally (if you implement the security checklist) not reachable from the internet.

Jörg

[1] Security Checklist

Views

3.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Employee
Employee
4/16/20 10:53:21 AM

Instead of disabling basic auth on publish, just don't include Authorization header in the /clientheaders config of the dispatcher configuration.  That effectively prevents basic auth from the outside world.

Views

3.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM Dispatcher config for custom authentication handler Solved

Views

215

Likes

0

Replies

2
AEMasCS Production dispatcher how to add authentication to a single page Solved

Views

318

Like

1

Replies

5
Even though the replication agent is disabled it still shows error and retry logs Solved

Views

293

Likes

0

Replies

2
I want to disable the delete copy move and all the other options for the child components

Views

242

Likes

0

Replies

7
Authenticated (MS Entra ) Backend api to AEMasCS

Views

104

Likes

0

Replies

2