sling 3 installation observations

[Andreas Amstutz <an...@javaconsulting.dk>]

Hi all

I just deployed org.apache.sling.launchpad.webapp-3-incubator on my  
public tomcat dev server and observed that the access to /system/ 
console/ is not secured by default.

Shouldn't access to the console be secured by default?

Webdav access to http://host/slingwebapp3/ is also possible without  
providing any credentials.

How do I secure webdav access?

Regards
Andreas

Re: sling 3 installation observations

[Felix Meschberger <fm...@gmail.com>]

Hi Andreas,

Andreas Amstutz schrieb:
> Hi all
> 
> I just deployed org.apache.sling.launchpad.webapp-3-incubator on my
> public tomcat dev server and observed that the access to
> /system/console/ is not secured by default.
> 
> Shouldn't access to the console be secured by default?

This is true. To enable (simple) authentication in the Felix Console,
you go to Configuration page of the console and select the "OSGi
Management Console" configuration and set a username and password.

In the next release of the console, authentication is enabled by
default. Still it is the very simple one. I am thinking of adding
support for the UserAdmin service later .. (as always patches welcome to
speed up things ;-) ). And also please note, that the console is part of
the Apache Felix project.

> 
> Webdav access to http://host/slingwebapp3/ is also possible without
> providing any credentials.
> 
> How do I secure webdav access?

Authentication to Sling (both WebDAV and normal browsing) is done
through Jackrabbit which (currently as of 1.4.x) comes without any
strong authentication out of the box (but can be configured to do so).

In addition, the Authentication Handler is configured to accept
anonymous connections, that is to not force authentication. You can
change that by also going to the Configuration page of the console and
select the "Request Authenticator" configuration and make sure the
"Allow Anonymous Access" checkbox is unchecked.

Hope this helps.

Regards
Felix