Access denied on certain CF pages after reinstall/ upgrade

californiaimage · March 9, 2020, 2:10am

I just completed a reinstall and reconfiguration.
Base sites are loading fine.
Multiple pages however are showing:

Lucee 5.3.4.80 Error (java.io.FileNotFoundException)
Message C:\inetpub\wwwroot\MYSITE\WEB-INF\lucee\cfclasses\CFC__inetpub_wwwroot_MYSITE3152\application_cfm$cf.class (Access is denied)
Java Stacktrace lucee.runtime.exp.NativeException: C:\inetpub\wwwroot\MYSITE\WEB-INF\lucee\cfclasses\CFC__inetpub_wwwroot_MYSITE3152\application_cfm$cf.class (Access is denied)

Application log shows nothing.
These are root pages in the same web directory.

Is there a user permission or something that needs to placed on wwwroot folders or some other base permission that needs to be applied somewhere?

Here are some logs, let me know what else can help diagnose. Been looking at this for a few hours to no avail…
Thanks!

Java Stacktrace:
lucee.runtime.exp.NativeException: C:\inetpub\wwwroot\MYSITE\WEB-INF\lucee\cfclasses\CFC__inetpub_wwwroot_MYSITE3152\application_cfm$cf.class (Access is denied)
at java.base/java.io.WinNTFileSystem.createFileExclusively(Native Method)
at java.base/java.io.File.createNewFile(File.java:1024)
at lucee.commons.io.res.type.file.FileResource.getOutputStream(FileResource.java:248)
at lucee.commons.io.res.type.file.FileResource.getOutputStream(FileResource.java:241)
at lucee.commons.io.IOUtil.copy(IOUtil.java:155)
at lucee.runtime.compiler.CFMLCompilerImpl._compile(CFMLCompilerImpl.java:175)
at lucee.runtime.compiler.CFMLCompilerImpl.compile(CFMLCompilerImpl.java:76)
at lucee.runtime.PageSourceImpl._compile(PageSourceImpl.java:405)
at lucee.runtime.PageSourceImpl.compile(PageSourceImpl.java:372)
at lucee.runtime.PageSourceImpl.loadPhysical(PageSourceImpl.java:329)
at lucee.runtime.PageSourceImpl.loadPageThrowTemplateException(PageSourceImpl.java:221)
at lucee.runtime.PageSourceImpl.loadPage(PageSourceImpl.java:986)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:939)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:836)
at lucee.runtime.listener.ClassicAppListener._onRequest(ClassicAppListener.java:64)
at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:43)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2415)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2405)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2380)
at lucee.runtime.engine.Request.exe(Request.java:43)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1110)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1056)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:415)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: java.io.IOException: Access is denied
… 46 more

Lucee 5.3.4.80
Windows Server 2016 (10.0) 64bit
Apache Tomcat/9.0.31
13.0.2 (Oracle Corporation) 64bit

californiaimage · March 9, 2020, 3:12am

Further researching I found two essentially identical web cfm pages. One loads fine one gives access denied error. I even created test.cfm with only hello world, saved and it gave access is denied. I even changed IIS permission to remove inheritance, and gave user Everyone full control. Still Access is denied error…
(Saving as test.html, loads fine.)

Lucee 5.3.4.80 Error (java.io.IOException)
Message Access is denied
Java Stacktrace lucee.runtime.exp.NativeException: Access is denied
at java.base/java.io.WinNTFileSystem.createFileExclusively(Native Method)
at java.base/java.io.File.createNewFile(File.java:1024)
at lucee.commons.io.res.type.file.FileResource.getOutputStream(FileResource.java:248)
at lucee.commons.io.res.type.file.FileResource.getOutputStream(FileResource.java:241)
at lucee.commons.io.IOUtil.copy(IOUtil.java:155)
at lucee.runtime.compiler.CFMLCompilerImpl._compile(CFMLCompilerImpl.java:175)
at lucee.runtime.compiler.CFMLCompilerImpl.compile(CFMLCompilerImpl.java:76)
at lucee.runtime.PageSourceImpl._compile(PageSourceImpl.java:405)
at lucee.runtime.PageSourceImpl.compile(PageSourceImpl.java:372)
at lucee.runtime.PageSourceImpl.loadPhysical(PageSourceImpl.java:329)
at lucee.runtime.PageSourceImpl.loadPageThrowTemplateException(PageSourceImpl.java:221)
at lucee.runtime.PageSourceImpl.loadPage(PageSourceImpl.java:986)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:905)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:836)
at lucee.runtime.listener.ClassicAppListener._onRequest(ClassicAppListener.java:64)
at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:43)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2415)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2405)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2380)
at lucee.runtime.engine.Request.exe(Request.java:43)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1110)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1056)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:415)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: java.io.IOException: Access is denied
… 46 more

Timestamp 3/8/20 8:11:35 PM PDT

andreas · March 9, 2020, 5:22am

Glad you are making some progress… What comes to my mind is, that maybe you have reinstalled lucee with a new user that is running the tomcat service and now it cant access to some of your old files that had different user settings/permissions. If test.html loads just fine, it is because .html files are not passed
from IIS to lucee/tomcat. They are served soly by IIS, just like images and other static files are.

What I would try is:

Option 1: Check if you can access http://localhost:8888 without any problems. If you can access lucee local welcome site without issues (what I am pretty sure you will), look for file permission of path_to_lucee_installation\tomcat\webapps\root and watch out for any tomcat user and look at that tomcat user settings/file permission. Add that same user and file permissions to your C:\inetpub\wwwroot\MYSITE\

Option 2: In case you haven’t any settings set per web-context-admin, you can also try to:

stop lucee service,
backup the folder C:\inetpub\wwwroot\MYSITE\web-inf and place the backup somewhere ouside of that webroot
delete the web-inf folder C:\inetpub\wwwroot\MYSITE\web-inf
restart the lucee service

This will recreate a web-inf folder with the default server context settings. But be carefulll, because if you have configurations set at web-context level (e.g. scheduler, datasources, mappings etc) deleting the webinf folder will also delete these and convert to default. But you’ll be able to use / look into the config files of the backuped web-inf folder then.

Hope that helps.

californiaimage · March 9, 2020, 5:33am

Thanks! I will giver it a shot!!

californiaimage · March 9, 2020, 5:57am

Looks like we are on the right track with permissions, not there yet…

**So I am able to access (http://localhost:8888/ without any problems.

I looked for user differences between
path_to_lucee_installation\tomcat\webapps\root
&
C:\inetpub\wwwroot\MYSITE
*I found no difference.
*I did not see any TomCat related user account in either case.

So I tried deleting C:\inetpub\wwwroot\MYSITE\web-inf and restarting Lucee and get:

HTTP Status 500 – Internal Server Error

Type Exception Report

Message can’t create directory C:\inetpub\wwwroot\MYSITE\WEB-INF\lucee

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

javax.servlet.ServletException: can’t create directory C:\inetpub\wwwroot\MYSITE\WEB-INF\lucee lucee.runtime.engine.CFMLEngineImpl.getConfigDirectory(CFMLEngineImpl.java:899) lucee.runtime.engine.CFMLEngineImpl.loadJSPFactory(CFMLEngineImpl.java:834) lucee.runtime.engine.CFMLEngineImpl.addServletConfig(CFMLEngineImpl.java:712) lucee.loader.engine.CFMLEngineWrapper.addServletConfig(CFMLEngineWrapper.java:87) lucee.loader.engine.CFMLEngineFactory.getInstance(CFMLEngineFactory.java:210) lucee.loader.servlet.CFMLServlet.init(CFMLServlet.java:42) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:415) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.base/java.lang.Thread.run(Thread.java:830)

Where might the credentials sit for the TomCat ability to write to IIS folders assuming this is where the error leads…
Thanks again!

californiaimage · March 9, 2020, 6:13am

ok We are good.
I found C:\luceeroot\tomcat\conf tomcat-users.xml
I created and admin per https://tecadmin.net/set-admin-password-in-tomcat/
It had the access needed after granting rights to IIS Wwwroot…
Thanks # andreas!!

andreas · March 9, 2020, 6:50am

This is great!!! Really glad you got everything working!!! Just one little note: Make sure you get rid of that “everyone” user/file permission that you’ve set before when dealing with the issue ( because of security ). If you don’t remember, how the permissions were set up, create a new test site through the IIS administrator with some webroot and see the file permissions of that folder after creation. This permisssions added with your new tomcat user and tomcat permission should be the ones that should work fine for your sites.

californiaimage · March 9, 2020, 7:08am

:), yes I have deleted the everyone permission. I dont need to shoot myself in the foot exponentially more that I have already. Thanks man!