Stop Apache Sling WebDAV or not

Avatar

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile
ClintLundmark
Level 2

27-05-2020

In the Security Checklist for AEM 6.4 in the section Disable WebDAV, it mentions stopping the following bundles:

  • Apache Sling Simple WebDAV Access to repositories (org.apache.sling.jcr.webdav)
  • Apache Sling DavEx Access to repositories (org.apache.sling.jcr.davex)

However in Security Checks in the Operation Dashboard there is a health check for WebDAV Health Check.  (Tools -> Operations -> Health Reports -> Security Checks -> WebDAV Health Check).  In that Health Check it will issue a warning if "Apache Sling Simple WebDAV Access to repositories" is disabled. 

The information displayed in the health check is:

  • INFO The WebDav bundle should be available and active in all runmodes.
  • INFO On instances started in author or publish + sampleconent runmodes the SimpleWebDavServlet should be configured.

With status:

  • [WARN] The Sling WebDav bundle is NOT active.
  • [WARN] The SimpleWebDavServlet is NOT configured.

Which is correct or more secure?  Should the bundle be stopped, or should it be configured?

...

clint

Replies

Avatar

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile
jbrar
Employee

27-05-2020

If you start AEM instance with the "nosamplecontent" which is production ready[1], this will automatically take care of stopping this bundle on production publish websites

 

[1] https://docs.adobe.com/content/help/en/experience-manager-64/administering/security/production-ready...

Avatar

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile
ClintLundmark
Level 2

27-05-2020

@jbrar , Thanks for the reply.  I am not certain that -nosamplecontent does disable both of those bundles.  In my case, after installing using that runmode I found this bundle Active - "Apache Sling Simple WebDAV Access to repositories".   Regardless of whether -nosamplecontent does or does not disable/stop the bundle, it still does not explain the discrepancy between the security checklist documentation and the security checks through the Operations Dashboard.

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

27-05-2020

Hi,

Yes, by default it is not disabled. we used curl to disable and enable in case we need it, mostly the crx de.

The $ACTION could be start or stop

 

curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/com.adobe.granite.crxde-lite
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/com.adobe.granite.crx-explorer
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/com.day.cq.dam.dam-webdav-support
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/org.apache.sling.jcr.davex
            sleep $DELAY
            curl -u $AEMUID:$PWD -Faction=$ACTION \
                http://$H:$P/system/console/bundles/org.apache.sling.jcr.webdav
            sleep $DELAY

 

 

 These bundles should be stopped.

 

Avatar

Avatar
Validate 1
MVP
ArpitVarshney
MVP

Likes

136 likes

Total Posts

185 posts

Correct reply

36 solutions
Top badges earned
Validate 1
Establish
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Validate 1
MVP
ArpitVarshney
MVP

Likes

136 likes

Total Posts

185 posts

Correct reply

36 solutions
Top badges earned
Validate 1
Establish
Give Back 5
Give Back 3
Give Back 25
View profile
ArpitVarshney
MVP

28-05-2020

Hi @ClintLundmark 

 

  • We must configure the production environment with -nosamplecontent run mode which by default disable the bundles and the idea behind that if they are disabled then the AEM user can't see any hierarchy in the crx/de console which makes sense for production environment so that nobody can access these sensitive console directly.

 

Below is the health check report for sample content run mode of nonprod environment:

 

 
 
 
 

Screenshot.png

 

The message clearly said that it should be used with author/publisher+sample content run mode while it should be disabled for -nosamplecontent run mode(production-ready)

 

Regards,

Arpit

Avatar

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile
ClintLundmark
Level 2

28-05-2020

Hey @ArpitVarshney,

 

Thanks for the reply!  Here are some screen shots of the bundles in question and the Security Checks -> WebDAV Health Check.  The bundles are not active as suggested per the Security Checklist.  However the WebDAV Health Check is giving me a warning [WARN].  If the bundles should not be active, then the WebDAV Health Check probably should not be in status:WARN, but instead should be in status:OK.  Maybe I am missing something?

 

AEMWebDAVStopped.png

AEMWebDAVHealthCheck.png

 

...

clint

Avatar

Avatar
Validate 1
MVP
ArpitVarshney
MVP

Likes

136 likes

Total Posts

185 posts

Correct reply

36 solutions
Top badges earned
Validate 1
Establish
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Validate 1
MVP
ArpitVarshney
MVP

Likes

136 likes

Total Posts

185 posts

Correct reply

36 solutions
Top badges earned
Validate 1
Establish
Give Back 5
Give Back 3
Give Back 25
View profile
ArpitVarshney
MVP

28-05-2020

Hi @ClintLundmark ,

 

What is the run mode of your running instance? Is it configured with --samplecontent or --nosamplecontent?

 

Regards,

Arpit Varshney

Avatar

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile

Avatar
Validate 1
Level 2
ClintLundmark
Level 2

Likes

10 likes

Total Posts

30 posts

Correct reply

4 solutions
Top badges earned
Validate 1
Ignite 1
Give Back 5
Give Back 3
Give Back
View profile
ClintLundmark
Level 2

28-05-2020

The instance was originally installed with -nosamplecontent run mode.