September 22, 2020
Estimated Post Reading Time ~

Getting forbidden response for AEM login page

If you are facing a problem accessing the AEM login page; /libs/granite/core/content/login.html and getting HTTP ERROR 403, FORBIDDEN and in the log you are getting below error message. It means somehow you have updated the SlingAuthenticator configuration.

*INFO* [0:0:0:0:0:0:0:1 [1402592178132] GET / HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
*INFO* [0:0:0:0:0:0:0:1 [1402592178132] GET / HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate anonymous user: Login Failure: all modules ignored



AEM login page forbidden

Resolution:
Step 1: Under the configuration "Apache Sling Authentication Service" verify the entry of login page in property Authentication Requirements (sling.auth.requirements) set with minus symbol [-/libs/granite/core/content/login]. If you found the correct entry then check the second step.

Step 2: We have another property sling.auth.anonymous.user under the same configuration. Somehow this property has been updated hence the system is unable to open the login page which should be accessible to anonymous users. 

Explanation of sling.auth.anonymous.user property; it defines which user name to assume for anonymous requests, that is requests not providing credentials supported by any of the registered authentication handlers. If this property is missing or empty, the default is assumed which depends on the resource provider(s). Otherwise anonymous requests are handled with this user name. If the configured user name does not exist or is not allowed to access the resource data, anonymous requests may still be blocked. If anonymous access is not allowed, this property is ignored.

To fix this issue, go to AEM config manager [/system/console/configMgr] and search for "Apache Sling Authentication Serviceor go directly using this link in your local AEM instance http://localhost:4502/system/console/configMgr/org.apache.sling.engine.impl.auth.SlingAuthenticator

But since, we are unable to login to the AEM, and without login, we cant access the Felix console(config manager). Hence we will update the config from the crx-quickstart repository. The same config file we will find in our crx-quickstart folder under directory launchpad
\crx-quickstart\launchpad\config\org\apache\sling\engine\impl\auth
in this file if you see there is some value assign to property sling.auth.anonymous.user then make it empty like sling.auth.anonymous.user=""

Sample SlingAuthenticator.config file
:org.apache.felix.configadmin.revision:=L"2"
auth.annonymous=B"false"
auth.http="preemptive"
auth.http.realm="Sling\ (Development)"
auth.sudo.cookie="sling.sudo"
auth.sudo.parameter="sudo"
auth.uri.suffix=[ \
"/j_security_check", \
]
service.pid="org.apache.sling.engine.impl.auth.SlingAuthenticator"
sling.auth.anonymous.user=""
sling.auth.requirements=[ \
"+/", \
"-/libs/granite/core/content/login", \
"-/etc.clientlibs", \
"-/etc/clientlibs/granite", \
"-/libs/dam/remoteassets/content/loginerror", \
]



By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.