Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
SOLVED

.htpasswd with CQ

Avatar

Level 4

Hi,

My Apache web server is fronting a CQ dispatcher that is rendering from a CQ Publish Instance on the server.  Everything works correctly until I try to put a .htpasswd in my Apache config to require user authentication before users can access my CQ Publish instance.  Whenever I browse to my site, I get an authentication prompt.  This behavior is expected.  I put the user credentials, as defined by my .htpasswd file and the prompt goes away.  However, I will get a second prompt with the following message

"The server http://myserver:80 requires a username and password.  The server says: Sling (Development)."

Regardless of which user credentials I use, authentication will fail and I get the first password prompt from my .htaccess file.

I can see from my Apache's error log that the second authentication attempt was against a content in my CQ Publish instance's repository.  Why would this happen?  What is missing in my configuration?  If I remove .htaccess, I get no authentication prompts.

Please advise.

Thank You.

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi,

I suspect the problem is that the Authorization header is being passed through from Apache to CQ. The header's value, however, is not valid as far as CQ is concerned because the username/password referenced in the header does not exist. Even when you allow anonymous access in CQ, passing a bad Authorization header will trigger an authentication request.

One solution might be to configure the dispatcher not to pass the Authorization header. Another solution would be to perform authentication within CQ.

HTH,

Justin

View solution in original post

3 Replies

Avatar

Correct answer by
Employee

Hi,

I suspect the problem is that the Authorization header is being passed through from Apache to CQ. The header's value, however, is not valid as far as CQ is concerned because the username/password referenced in the header does not exist. Even when you allow anonymous access in CQ, passing a bad Authorization header will trigger an authentication request.

One solution might be to configure the dispatcher not to pass the Authorization header. Another solution would be to perform authentication within CQ.

HTH,

Justin

Avatar

Employee Advisor

Another option would be to reconfigure the Sling Authenticator (localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuthenticator) not to perform preemptive basic authentication, but just simple basic auth (option "enabled").

Jörg

Avatar

Level 4

Thank You Justin!  You are absolutely correct.  Once we configured the virtual host configuration to unset the Authorization header (and also commented allowAuthorized), we are only getting ONE prompt from .htpasswd and no additional prompts from Sling (Development)