Attempting to Update Lucee from or to results in error

OS: Windows 11
Java Version: AdoptOpenJDK 11.0.4
Tomcat Version: 9.0.14
Lucee Version: lucee-
Web Server: IIS

I’m attempting to update my dev machine from Lucee to My initial hurdle was no updates for Lucee or Extensions appearing in the admin. Both pages initially either showed errors or loaded fine but simply did not indicate updates available.

After looking at several posts on here, I downloaded the file. Accessing the admin ( resulted in a “can’t access [C:\lucee\tomcat\lucee-server\context\userdata] directory must be inside [C:\lucee\tomcat\webapps\ROOT | C:\dir1 | C:\dir2 | C:\dir3] access is prohibited by security manager” error. The admin root context file access was set to “all”. The General context was set to “local” and listed those three additional directories. I have several other contexts, but they don’t list those specific custom directories.

I pulled the .lco file, restarted Lucee, logged into the admin, and set the General context file access to “all”, and tried restarting with the .lco file in place again. Same result, including listing those three custom directories which no longer appeared anywhere in my lucee-server.xml file. Setting the root context file access to “local” and adding custom directories also resulted in an error, including the same list of acceptable custom directorie on the error page, even though the root context listed different directories. Adding the “C:\lucee\tomcat\lucee-server\context\userdata” directory to either the General or root context didn’t change anything.

I then removed the and dropped in a file. This worked beautifully, updating Lucee and a number of its extensions. However, though there were no errors on the admin update pages, they still listed no updates available.

I dropped in the file, and I’m back where I started, with the security manager error.

My first question is, does the update process cache security settings somewhere? Nothing I do to the server file access settings (or the lucee-server.xml file) seems to modify the directories Lucee sees as available to the update process.

My second question is, do .lco files work for major version updates?

My third question is…help?

Of note: This is a dry run for eventually updating a live server, so minimally invasive solutions preferred. Thanks!

First off, your Tomcat version is out of date, as such its highly insecure and prone to a ton of bugs.

You should backup your old lucee install directory and reinstall lucee.

Lucee 6 converts your lucee-server.xml to .CFconfig.json file

The two versions while related, under the they are hood different.

If you are “new” to lucee I would suggest just going with Lucee 6, as it is the latest version of the software.


Much appreciated! The settings were being “cached” in the .CFconfig.json file. All changes done to the lucee-server.xml after I switched back to were completely ignored in future update attempts. Renaming the .CFconfig.json file allowed the update process to transfer the changes and update Lucee (and the Tomcat version)–the key change being setting the general file access to “all” (the ROOT context had no effect).

However, setting the general context file access back to “local” still broke the admin unless I added “C:\lucee\tomcat\lucee-server\context\userdata” as an exception. Additionally, all the custom individual site contexts that I had created were completely gone. They were visible in the .CFConfig.json file, but absent from the server admin “Security > Access > Individual” page. Creating a context in the admin overwrote the customized context in the .CFConfig.json with the general context settings.

I don’t know about the standard update route, but it seems like the .lco update route is completely ignoring specific web contexts, both during and after the update process.

1 Like

It won’t even save new security contexts. Creating one, changing the default values, updating it, and going back to edit it displays the default values, even though the new values appear in the .CFConfig.json. Restarting Lucee drops all contexts back into the “create new web context” dropdown. Editing the General context works as expected.

Is no one else experiencing issues with Lucee 6 multi mode security contexts?