HELP ---> The server understood the request but refuses to authorize it

Hi all LuceeFans,

I am old in ColdFusion but very new (few hours) in Lucee! and I need some help on connecting websites to Tomcat-Lucee.

In my dev lap I have CF2018 and about 15 websites, and I installed and Lucee successfully.
Then

  1. I run the configuration tool of ACF and deleted there 2 of my sites (to play with Lucee on them).

  2. I disabled (not just stoped) all CF services.

  3. In IIS I deleted these 2 websites, and also deleted their application pools.

  4. In their folders I deleted everything of their previous setup as sites, eg settings.xml and all CFBuilder puts there.

  5. I rebooted (CF services always being disabled) and cleaned everything with a registry cleaner.
    So in this point these 2 websites did not exist as websites any more.

  6. In IIS I setup again these 2 websites giving to them a common Application pool. They work just fine serving static html pages.

  7. I run Lucee Connector Setup, I accepted all as they already were (I had chosen not to connect to all IIS sites), and just checked these 2 “new” websites. (It was already checked and the default one)

  8. Now I run a simple cfm page of them and I get the error message


HTTP Status 403 – Forbidden

Type: Status Report
Description: The server understood the request but refuses to authorize it.
Apache Tomcat/9.0.35

Questions
A) Do you have any idea what’s the problem and how can I solved it???
B) Do we always have to write something (a host section) in server.xml manually in order to connect a website???

Thank you in advance for your help

just use mod_cfml

https://viviotech.github.io/mod_cfml/install-win-iis.html

This error sounds like of the AJP secret key not being passed to Tomcat that has been introduced as a security fix of Tomcat’s Ghostcat vulnerability. Please take a look at the following blog post
and make sure the secret key is set in your server.xml file and in the boncode connector settings.

1 Like

Thanks Zac for your reply

I read the link you gave but it didn’t help. Besides what is written there does not match to what really happens as I explain below.

All I want is to install Lucee in my development lap (Win 10 Pro) where I have IIS and Adobe CF 2018 supporting about 10 sites.
For the moment I want to test Lucee on the default IIS web site (c:\inetpub\wwwroot) + 1 test site.
My TEST web site is in http://localhost:50999 and its root directory is “D:\projects\TEST”

Lucee and Tomcat have been installed SUCCESSFULLY and I see administrator (server & web).

In order to not have conflicts between ACF and Lucee

  • I deleted ALL sites from ACF configuration tool, so now ACF does not support any sites.
  • Disabled all CF services
    Do you think these disabled CF services (without any website being connected to) affect the connection between Tomcat and IIS ?

Also the user “Local Service” running Lucee service has rights in “C:\inetpub\wwwroot” (default IIS) and “D:\projects\TEST” (Test site root) and all subfolders there (/Bin etc).

All my problem is on the setup of the connector between Tomcat and IIS.
After Lucee installation I run “C:\Lucee\AJP13\Connector_Setup.exe”
In your link it says:

If you installed the connector into “ALL SITES”, then this file will be in the Windows system32 directory: “c:\windows\system32\BonCodeAJP13.settings”. If you installed the connector on a PER-SITE BASIS, then the “BonCodeAJP13.settings” file will be in the “BIN” directory inside your site’s home directory.

When running Connector_Setup.exe I chose “Per-site basis” and checked 2 sites, (the default IIS site and the TEST site). The Connector_Setup created the BIN directories in the roots of these 2 sites, copied there 3 files: “BonCodeAJP13.dll”, “BonCodeIIS.dll” and “iisRemoveHandlers.txt” BUT didn’t copy there the file “BonCodeAJP13.settings”. On the contrary it copied it in the directory “c:\windows” as if I had chosen “All Sites”.

Is it a BUG of Connector_Setup.exe ???

The file “C:\LUCEE\tomcat\conf\server.xml” is below:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
 
  <Service name="Catalina">

    <Connector port="8888" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

    <Connector protocol="AJP/1.3"
                   port="8009"
                   secretRequired="true"
                   secret="my_secret_key"
                   redirectPort="8443" />

    <Engine name="Catalina" defaultHost="127.0.0.1">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
 
      <Host name="127.0.0.1"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
 
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
                      pattern="%h %l %u %t &quot;%r&quot; %s %b" />

                     <Valve className="mod_cfml.core"
                         loggingEnabled="false"
                         maxContexts="200"
                         timeBetweenContexts="2000"
                         scanClassPaths="false"
                         responseCode="307"
                        sharedKey="a_shared_key"/> 
      </Host>

      <!--- a test site I setup for Lucee --->
      <Host name="TEST" appBase="webapps">
           <Context path="" docBase="D:/PROJECTS/TEST" />
      </Host>
 
    </Engine>
  </Service>
</Server>

As the installation of the connector did not installed “BonCodeAJP13.settings” in the BIN directory of the declared websites, I copied it there, and you can see what it includes in the test site below

D:\Projects\TEST\BIN\BonCodeAJP13.settings

<Settings>
<Port>8009</Port>
<Server>localhost</Server>   
<MaxConnections>200</MaxConnections>
<LogLevel>0</LogLevel>  
<FlushThreshold>0</FlushThreshold>
<EnableRemoteAdmin>False</EnableRemoteAdmin>
<secretRequired>True</secretRequired>
<requiredSecret> my_secret_key</requiredSecret>
<EnableHeaderDataSupport>True</EnableHeaderDataSupport>
</Settings>

When I call the home page of TEST site (http://localhost:50999/index.cfm) I get the error message below:
HTTP Status 403 – Forbidden
Type Status Report
Description The server understood the request but refuses to authorize it.
Apache Tomcat/9.0.35

So, what’s the problem?

In “c:\lucee\tomcat\conf\server.xml”, and in “connector” tag, the
secret=“my_secret_key”
is the SAME as in “d:\projects\test\bin\BonCodeAJP13.settings is the parameter “requiredSecret”

Does this secret_key must be the same and in server.xml, “Valve” tag, parameter sharedKey???

Thanks a lot in advance
XCrystal

Thank you Andreas for your reply. Please take a look in my reply to Zac in order to see the problem.

yes

Thank you Zac for your quick kind reply.

I put everywhere the same secret key but nothing changed. I got the same error (HTTP Status 403 – Forbidden).
But I noticed that in server.xml and at the bottom where there is info about hosts, the “name” parameter does mean name of the site, but the domain of it.
So as you see below for my TEST site I put name=“localhost:50999”

<Host name="localhost:50999" appBase="webapps">
   <Context path="" docBase="D:/PROJECTS/TEST" />
</Host>

Now running the home page of the test site (and the IIS default site) I get a different error message. It is below.

Error connecting to Apache Tomcat instance.Please check that a Tomcat server is running at given location and port.

Details:
No connection could be made because the target machine actively refused it 127.0.0.1:8009
You can change this message by changing TomcatConnectErrorURL setting in setting file.

No connection could be made because the target machine actively refused it 127.0.0.1:8009 at System.Net.Sockets.TcpClient..ctor(String hostname, Int32 port) at BonCodeIIS.BonCodeCallHandler.ProcessRequest(HttpContext context)

Does it says something to you about where the problem is?

did you restart all the services?

I’m not that of a pro to say it for sure, but is the port “:50999” in the name attribute of the <host> directive a valid value? I thought the port is configured in the <connector> directive only, like so:

<Connector port="50999" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
...
<Host name="localhost" appBase="webapps">
   <Context path="" docBase="D:/PROJECTS/TEST" />
</Host>

That will of course change Lucee’s default port 8888.

Zac you wrote about serviceS, not service. I thought there is only one service “Apache Tomcat 9.0 Lucee”. Is there any other service for Lucee and connector to run? (Question 1)

After some tests here I noticed that the service “Apache Tomcat 9.0 Lucee” does not load automatically, and even when I load it manually after few seconds it shuts down. The service was loaded just fine after Lucee installation. The only thing that has been changed since then is that I added in server.xml the section below

<Host name="localhost:50999" appBase="webapps">
   <Context path="" docBase="D:/PROJECTS/TEST" />
</Host>

When I replace “localhost:50999” with “TEST” or “localhost” or “127.0.0.1” then the service loads just fine and never shuts down. Then when I call the TEST page I get again the first error message

HTTP Status 403 – Forbidden
Description The server understood the request but refuses to authorize it.

It seams server.xml does not accept port in name parameter of hosts.
From the other hand I see in HOST ENTRY TEMPLATE that in name parameter we have to write DOMAIN NAME, not the name of the site in IIS that for me is TEST. In a development machine the sites have not IPs, nor domains of course. We host them in IIS with different ports on the localhost IP (127.0.0.1) or as subfolders of the IIS default website (c:\inetpub\wwwroot).

So the question 2 is what a Lucee developer writes in hosts of server.xml for the sites he works on in a dev machine??? (Question 2)

How you setup the BonCodeAJP13.settings in the BIN directory of the sites in a dev machine (Per site installation of connector)? The port parameter in BonCodeAJP13.settings of each site has to be he port of the site instead of the default 8009??? (Question 3)
I didn’t find any short clear documentation about the different senarios of connector installation.

Please note that beside the TEST site on port 50999, I get the same error message

HTTP Status 403 – Forbidden
Description The server understood the request but refuses to authorize it.

and when I call the default page of localhost, I mean
http://localhost/index.cfm or
http://127.0.0.1/index.cfm
being in C:\inetpub\wwwroot\index.cfm

So the error message has nothing to do especially with the TEST site and its port.
Any idea what’s the problem?

Thanks in advance

Andreas you are right about the port 50999. See my reply to Zac. The port in name attribute of host shuts down the service. Please note that the host where I write this port is just one of the sites in my development machine. Fully replacing CF with Lucee I would have e.g. 10, 20… host sections down in server.xml wjere it says ADD NEW HOSTS HERE. Each of these sites would have different port on the localhost as far as they can not have their own domain in a development machine. So it would not be one port to replace the port in connector protocol=“HTTP/1.1” … I guess the different port of each site in a way has to be written in BonCodeAJP13.settings in the BIN directory of each site. If it has to be written and in server.xml it has to be somewhere in its host, that’s why I had put it in the host name attribute as localhost:port works as site identifier (“domain”) in a dev machine.

I think this is getting complicated, and is not how Lucee runs by default when installed with the installer. If you want to run Lucee with different ports with Tomcat, you need to

a) add an additional <connector> with that port, or
b) run a second (or more) tomcat instances in parallel with different port configurations. This will need second (or more) additional windows services for Lucee running with different tomcat bases and server.xml configurations.

But I’d suggest to check if this is really needed, because running Lucee on different ports makes sense only in very specific situations: e.g. for security reasons (e.g. when you are hosting sites for different customers who have access to webroots), or if you want to have the sites running with independent configurations, or load balancing. In most cases this is not necessary. That is why Lucee installer installs and connects to IIS based by host names to one single Tomcat instance. And if you use mod_cfml (like @Zackster told already) you usually don’t need to configure anything at all. You just add the site in IIS and mod_cfml will do the job for you by creating the hosts and contexts in Tomcat for you.

It’s possible to mimic these domain names locally on your dev machine by using your OS hosts configuration file. So you can perfectly use the real domain name and they will use your local dev machines IP.

If you really want to run Lucee with different ports locally, i’d recommend also to checkout commandbox. It maybe easier to run Lucee instances on different ports. But this will also depend how identical your local dev environment needs to be to your production environment. It all depends.

If you want to try commandbox behind IIS, please watch this great video created by brad wood.

Thank you Andreas for your reply. I didn’t want something strange or complicated as you say. I just wanted to do what I already do 24 years with ACF in my dev machine where I have IIS supporting all my sites aiming to have about the same environment as in the production boxes. I mean IIS + CF. Setting up my local sites in IIS binding with localhost (same for all sites) + a port (different for each site and in ranges over 50000) the ACF web server configuration tool was recognizing all these sites and I could choose them to be connected to ACF Tomcat. It was a 1 minute work to setup a new site under IIS and connect it to ACF. Nothing was needed of all the complexity you describe. And I am convinced that it is very easy and with Lucee too. The good news is I solved the problem.
Thank you very much for your help.

@XCrystal that is great news. Could you please share how you managed it to make it work? I’m and surely others too are curious and it would be great for us for future similar requests to have it documented in this forum. Would be great and appreciated.

Andreas, I absolutely understand that and since my message to you I write a complete text with everything I did, in order to help other developers of Lucee community. Although I didn’t do something extraordinary, but yes the point is I have Lucee working just fine “seeing” sites, and ACF too. I’ll publish it in a while.

I hope that very much. I’m not from the Lucee support team, just a usual dev like you are. I’ve taken my time and experience to try helping you. I think that it is very important to contribute in this community, share experiences and more. Imagine nobody would share his experience? For the next issue you might need, I’ll too wait and publish it in a while then. Wish you good day and enjoy your new awesome free Lucee engine.

If a developer has e.g. 10 sites under IIS in his dev box and he wants to move from ACF to Lucee step by step, e.g. as a first step moving let’s say 3 sites to Lucee, then “by the book” during Lucee installation he should choose “Per site” in order to connect to Lucee just these 3 sites. If you decide to go “by the book” you will lose some days digging, testing and reading a 66 pages of the connector manual.

As I see it’s widely accepted that the “by the book” Lucee “Per site” connection is a complicated process with many disadvantages, although personally I didn’t find somewhere short clear instructions step by step how to do it, in order to make my own opinion. So, in order to setup my dev box with Lucee I decided to not use again “Per site” connections and adopt the “All sites”. So everything below is done with the default “All sites” option.

Also trying to solve my problem I noticed that in server.xml and in section

<Host name="[ENTER DOMAIN NAME]" appBase="webapps">
     <Context path="" docBase="[ENTER SYSTEM PATH]" />
     <Alias>[ENTER DOMAIN ALIAS]</Alias>
</Host>

the “name” parameter can’t be the “domain”, in any form the developer uses it in URL. For example if he setup the sites in his dev box with same IP (127.0.0.1), no host name, and different ports to indentify the sites, e.g.
Site1 127.0.0.1:50001 (or localhost:50001)
Site2 127.0.0.1:50002 (or localhost:50002) etc
then the “domain” 127.0.0.1:50001 is not accepted as name parameter in host tag of server.xml.
If it is used, and having edit the server.xml try to restart Lucee service, the service SHUTS DOWN. So I guess in the above name parameter only names in “domain looking format” are accepted.

So what I did to solve the problem

  • I uninstalled everything of the previous Lucee installation (Connector, Lucee).
  • I deleted whatever remained eg “c:\lucee” folder and all WEB-INF folders in the websites’ root.
  • I cleared everything with registry cleaner.
  • Using “ACF web server configuration tool” I deleted all the connections of ACF to my 10 sites.
  • Disabled all ACF services
  • Rebooted.

After reboot no Lucee was active (was uninstalled) nor ACF (services disabled), so I could work only in IIS level. I changed the bindings of all my sites in order their identification to not be based on different ports any more. I had 2 options for that in IIS bindings.

Scenario 1 (classic)

  • I used the default port=80 for all sites
  • In IP address I used different IP for each site like 127.0.0.2, 127.0.0.3 etc
  • In host name I wrote a domain format name e.g. site2name.me, site3name.me or whatever
  • In hosts.txt I inserted new lines e.g. 127.0.0.2 site2name.me, 127.0.0.3 site3name.me etc
  • In IIS I restarted each site.
  • I tested that I could see static html pages using these new dev box “domains”. e.g. http://site2name.me/index.htm. All worked just fine.

Scenario 2

  • I used the default port=80 for ALL sites
  • In IP address I used 127.0.0.1 for ALL sites.
  • In host name I wrote 3rd level domain names having as second and first level “dnndev.me”. So the host name for each site was e.g. site1name.dnndev.me, site2name.dnndev.me, or abcd.dnndev.me or whatever like that.
  • I wrote NOTHING in hosts.txt
  • In IIS I restarted each site.
  • I tested that I could see static html pages using these new dev box “domains”
    e.g. http:// site1name.dnndev.me/index.htm. Again all worked just fine.

About only creating subdomains on the domain dnndev.me in order to identify sites in a dev box, see more here http://sitename.dnndev.me/index.htm

I used the first (classic) scenario for setting up ALL my sites under IIS.

Then I installed Lucee again with all the default options, including “All sites”. At the end I didn’t run any connector manually, nor edited any xml, settings etc file (server.xml, BonCodeAJP13.settings etc). After the installation I could access cfm pages e.g. http://site2name.me/index.cfm in ALL my sites!!!

Then, I disabled Tomcat-Lucee service, enabled Adobe CF service and using the Adobe web server configuration tool I connected one site to ACF (remember I had deleted ACF connections to all my sites before Lucee installation). The site, let’s say site A, was working just fine as before the ACF connection!!!

CONCLUSION A —> The choice of the default “All sites” option during Lucee installation didn’t affect, block or conflicts on connecting later ACF to some of these sites.

In order to know WHO supports this site (being connected to Lucee AND ACF at the same time), I disabled ACF service, tested the site, re-enabled ACF service, then disabled Lucee service, tested the site again, and re-enabled Lucee service back again. From this test I saw that the site A was serving cfm pages only when ACF service was running. When ACF service was disabled and Lucee service enabled calling cfm page was giving an error message below

Service Temporarily Unavailable!
Tomcat/ISAPI/isapi_redirector/1.2.46

So Lucee had lost its own connection to the site, even when ACF is disabled. It’s not a surprise since after connections have been done, the handler of cfm pages is an internal issue of the web server IIS, and web server does not know and not care which service is disabled or enabled.

I took a look in IIS handler Mappings of this site A and in comparison to another one. let’s say site B, which was one of the “All sites” of Lucee installation and had no connection to ACF. See the image below.

Image9

As we see a new record there, for the same script file extension (.cfm, .cfc etc), does not replace an older record for the same extension. So when I connected and ACF to site A the system just appended one more record for the same extension!.

CONCLUSION B —> In IIS web server the handlers and the script extensions have in general a relation of M:N, not 1:N

Obviously conclusion B leads to the question “Which one of the N (=2) handlers has the control on the extension cfm?”

The test I did enabling - disabling the two services shows that in the web server (at least IIS) handler mappings give “real handler role” to ACF when both (Lucee and ACF) have connection to the same site.
But the above phrase couldn’t be a safe conclusion, because I thought that maybe the “real handler role” is given to whatever made the MOST RECENT connection, which in this case just happened to be ACF.

Since Lucee makes the connections to all sites during installation, the only way Lucee connections to be the most recent ones was to …uninstall Lucee again, then make ACF connections to some sites and then reinstall Lucee.
Curious to see what happens, I did it. So uninstalled Lucee, connected 2 sites to ACF and re-installed Lucee. During Lucee installation I noticed that Lucee didn’t ask me to choose the default option “All sites” as it did the first time when ACF had no connections to my sites. Strange ha? Lucee installation does not present at all the option for “All sites” because simply it can’t take handler role on already existing sites connected with ACF. So Lucee would not be reliable to make my wish for “All sites” come true. I confirmed my thought after Lucee installation by calling a cfm page of the 2 sites I had connect to ACF BEFORE Lucee installation. The sites were supported by ACF although the MOST RECENT connection was with Lucee!! Also I noticed that in IIS Handler Mappings Lucee had installed its own records for .cfm and .cfc as always but these handlers had no effect at all although they were the most recent ones.

CONCLUSION C —> Lucee during installation makes connections to all sites BUT in sites where ACF has connections (whatever time point they were made, before or after Lucee installation and connections setup) the handling of these sites remains under ACF. Lucee connections have no effect to them.

TOP CONCLUSION —> So in the typical scenario of a web developer having e.g. 10 IIS sites supported by ACF, and willing to move step by step to Lucee, e.g. to setup 1 of the sites to be handled by Lucee, then 2-3 more etc all he has to do is

  • To install Lucee with the default options (he will not see the “all sites” option because at least 1 ACF site already exists), and then
  • To disconnect ACF from the site he wants to move to Lucee. Without ACF handler the Lucee handler will take the control of the site.
  • If he wants to setup a completely new site under Lucee, all he has to do is to setup the new site in IIS. Lucee handlers will be installed automatically (Amazing!!!).
  • If he wants to setup a completely new site under ACF, all he has to do is to setup the new site in IIS, Lucee handlers will be installed automatically as before, and then he has to make an ACF connection to this new site. ACF handler will take the control from Lucee handler.

I think these are extremely flexible and convenient for an easy step by step transition to Lucee, as most of the professional CF developers need.

Two more points

  1. After Lucee re-installation I setup an IIS site based on Scenario 2 of IIS bindings (see above), with host name e.g. “site1name.dnndev.me”. Lucee setup handler for it automatically as always and it was working just fine.
    CONCLUSION D —> In IIS bindings both scenarios (1 & 2) can be used and be supported by Lucee successfully.

  2. Then I setup a new site as I did in the past (localhost:50001). Lucee again installed handler automatically but could not process cfm pages, giving an error message.
    CONCLUSION E —> Sites based on different ports can’t be supported by Lucee whenever they had been setup (before or after Lucee installation).

I hope the above were useful and save your time.
Being new in Lucee, if I made any mistake your corrections are welcome.
Thanks for reading


Only one thing I know,
that I know nothing
(Socrates)

2 Likes

Thank you soooo much for taking your time and writing it all down. There are so many different types of installations. Really glad you added your solution and experience. It’s a great help! Thanks! And before I forget it again, welcome to our community!!!