In the Security Checklist for AEM 6.4 in the section Disable WebDAV, it mentions stopping the following bundles:
However in Security Checks in the Operation Dashboard there is a health check for WebDAV Health Check. (Tools -> Operations -> Health Reports -> Security Checks -> WebDAV Health Check). In that Health Check it will issue a warning if "Apache Sling Simple WebDAV Access to repositories" is disabled.
The information displayed in the health check is:
With status:
Which is correct or more secure? Should the bundle be stopped, or should it be configured?
...
clint
If you start AEM instance with the "nosamplecontent" which is production ready[1], this will automatically take care of stopping this bundle on production publish websites
@Jaideep_Brar , Thanks for the reply. I am not certain that -nosamplecontent does disable both of those bundles. In my case, after installing using that runmode I found this bundle Active - "Apache Sling Simple WebDAV Access to repositories". Regardless of whether -nosamplecontent does or does not disable/stop the bundle, it still does not explain the discrepancy between the security checklist documentation and the security checks through the Operations Dashboard.
Hi,
Yes, by default it is not disabled. we used curl to disable and enable in case we need it, mostly the crx de.
The $ACTION could be start or stop
curl -u $AEMUID:$PWD -Faction=$ACTION \
http://$H:$P/system/console/bundles/com.adobe.granite.crxde-lite
sleep $DELAY
curl -u $AEMUID:$PWD -Faction=$ACTION \
http://$H:$P/system/console/bundles/com.adobe.granite.crx-explorer
sleep $DELAY
curl -u $AEMUID:$PWD -Faction=$ACTION \
http://$H:$P/system/console/bundles/com.day.cq.dam.dam-webdav-support
sleep $DELAY
curl -u $AEMUID:$PWD -Faction=$ACTION \
http://$H:$P/system/console/bundles/org.apache.sling.jcr.davex
sleep $DELAY
curl -u $AEMUID:$PWD -Faction=$ACTION \
http://$H:$P/system/console/bundles/org.apache.sling.jcr.webdav
sleep $DELAY
These bundles should be stopped.
Below is the health check report for sample content run mode of nonprod environment:
The message clearly said that it should be used with author/publisher+sample content run mode while it should be disabled for -nosamplecontent run mode(production-ready)
Regards,
Arpit
Hey @ArpitVarshney,
Thanks for the reply! Here are some screen shots of the bundles in question and the Security Checks -> WebDAV Health Check. The bundles are not active as suggested per the Security Checklist. However the WebDAV Health Check is giving me a warning [WARN]. If the bundles should not be active, then the WebDAV Health Check probably should not be in status:WARN, but instead should be in status:OK. Maybe I am missing something?
...
clint
Hi @ClintLundmark ,
What is the run mode of your running instance? Is it configured with --samplecontent or --nosamplecontent?
Regards,
Arpit Varshney