Highlighted

Stop Apache Sling WebDAV or not

ClintLundmark

27-05-2020

In the Security Checklist for AEM 6.4 in the section Disable WebDAV, it mentions stopping the following bundles:

  • Apache Sling Simple WebDAV Access to repositories (org.apache.sling.jcr.webdav)
  • Apache Sling DavEx Access to repositories (org.apache.sling.jcr.davex)

However in Security Checks in the Operation Dashboard there is a health check for WebDAV Health Check.  (Tools -> Operations -> Health Reports -> Security Checks -> WebDAV Health Check).  In that Health Check it will issue a warning if "Apache Sling Simple WebDAV Access to repositories" is disabled. 

The information displayed in the health check is:

  • INFO The WebDav bundle should be available and active in all runmodes.
  • INFO On instances started in author or publish + sampleconent runmodes the SimpleWebDavServlet should be configured.

With status:

  • [WARN] The Sling WebDav bundle is NOT active.
  • [WARN] The SimpleWebDavServlet is NOT configured.

Which is correct or more secure?  Should the bundle be stopped, or should it be configured?

...

clint

Replies

Highlighted

jbrar

Employee

27-05-2020

If you start AEM instance with the "nosamplecontent" which is production ready[1], this will automatically take care of stopping this bundle on production publish websites

 

[1] https://docs.adobe.com/content/help/en/experience-manager-64/administering/security/production-ready...

Highlighted

ClintLundmark

27-05-2020

@jbrar , Thanks for the reply.  I am not certain that -nosamplecontent does disable both of those bundles.  In my case, after installing using that runmode I found this bundle Active - "Apache Sling Simple WebDAV Access to repositories".   Regardless of whether -nosamplecontent does or does not disable/stop the bundle, it still does not explain the discrepancy between the security checklist documentation and the security checks through the Operations Dashboard.

Highlighted

Arun_Patidar

MVP

27-05-2020

Hi,

Yes, by default it is not disabled. we used curl to disable and enable in case we need it, mostly the crx de.

The $ACTION could be start or stop

 

curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/com.adobe.granite.crxde-lite
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/com.adobe.granite.crx-explorer
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/com.day.cq.dam.dam-webdav-support
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/org.apache.sling.jcr.davex
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/org.apache.sling.jcr.webdav
            sleep $DELAY

 

 

 These bundles should be stopped.

 

Highlighted

ArpitVarshney

MVP

28-05-2020

Hi @ClintLundmark 

 

  • We must configure the production environment with -nosamplecontent run mode which by default disable the bundles and the idea behind that if they are disabled then the AEM user can't see any hierarchy in the crx/de console which makes sense for production environment so that nobody can access these sensitive console directly.

 

Below is the health check report for sample content run mode of nonprod environment:

 

 
 
 
 

Screenshot.png

 

The message clearly said that it should be used with author/publisher+sample content run mode while it should be disabled for -nosamplecontent run mode(production-ready)

 

Regards,

Arpit

Highlighted

ClintLundmark

28-05-2020

Hey @ArpitVarshney,

 

Thanks for the reply!  Here are some screen shots of the bundles in question and the Security Checks -> WebDAV Health Check.  The bundles are not active as suggested per the Security Checklist.  However the WebDAV Health Check is giving me a warning [WARN].  If the bundles should not be active, then the WebDAV Health Check probably should not be in status:WARN, but instead should be in status:OK.  Maybe I am missing something?

 

AEMWebDAVStopped.png

AEMWebDAVHealthCheck.png

 

...

clint

Highlighted

ArpitVarshney

MVP

28-05-2020

Hi @ClintLundmark ,

 

What is the run mode of your running instance? Is it configured with --samplecontent or --nosamplecontent?

 

Regards,

Arpit Varshney