Hi Andreas, Andreas Amstutz schrieb: > Hi all > > I just deployed org.apache.sling.launchpad.webapp-3-incubator on my > public tomcat dev server and observed that the access to > /system/console/ is not secured by default. > > Shouldn't access to the console be secured by default?
This is true. To enable (simple) authentication in the Felix Console, you go to Configuration page of the console and select the "OSGi Management Console" configuration and set a username and password. In the next release of the console, authentication is enabled by default. Still it is the very simple one. I am thinking of adding support for the UserAdmin service later .. (as always patches welcome to speed up things ;-) ). And also please note, that the console is part of the Apache Felix project. > > Webdav access to http://host/slingwebapp3/ is also possible without > providing any credentials. > > How do I secure webdav access? Authentication to Sling (both WebDAV and normal browsing) is done through Jackrabbit which (currently as of 1.4.x) comes without any strong authentication out of the box (but can be configured to do so). In addition, the Authentication Handler is configured to accept anonymous connections, that is to not force authentication. You can change that by also going to the Configuration page of the console and select the "Request Authenticator" configuration and make sure the "Allow Anonymous Access" checkbox is unchecked. Hope this helps. Regards Felix
