I recently tried to access a site (an AEM author server) that always requires authentication. I was attempting to use basic authentication in the URL in the browser address bar, as follows: http://admin:admin@localhost:4502/
But when I tried that, I got the following security confirmation (in Firefox 38.0.1):
Clicking "Yes" took me to the non-authenticated login page, seemingly ignoring the basic auth credentials I had sent. The following questions (and the comment on it) helped me understand that this is because the AEM author server is not asking for authentication credentials--it is not sending the WWW-Authenticate HTTP response header:
- How does http://user:[email protected] authentication work?
- Why do browsers not send the Authentication header when the credentials are provided in the URL?
Hence, the browser didn't actually send the basic auth credentials I had put in the address bar.
So that led me to question why the AEM author server, which always requires authentication, isn't sending the HTTP WWW-Authenticate header. But that begs a larger question:
For a site that always requires authentication, is it reasonable to expect that site to always send the WWW-Authenticate response header, or are there valid reasons to not include this header even though authentication is indeed required?
There are different type of authentification an application may implement and require. AEM do not require basic auth (except of the aem felix console). You cannot expect that you will be directly logged in with an authentification method which is not supported, not required or currently not configured. That's why the browser notifies you that no authentification is required for this page. AEM uses a html a page with a form with username and password and authentification request is sent to the backend where sling processes it further. Read more in the cq basics or sling authentification docs about this topic.