Tomcat AJP secret 403 errors

So I reinstalled Lucee on the server and its not using Java 11. I was able to get installed for Oracle and the database connection is good. However, our application keeps giving either a 403 “the server understood the request but refused to authorize it”, or a 503 “service unavailable” error. Our Apache is running as well as Lucee, which starts Tomcat.

Our server.xml has the “secret” and “secretRequired” configured:

<Connector protocol=“AJP/1.3”




redirectPort=“8443” />

Which leads to the 403 error. And if we take that out, we get the 503. So what has changed in the Tomcat installation (9.0.65) that we could be missing?



Did you just install Lucee with the installer on top of apache (that was already running with Lucee)?

How is your Apache connected with Tomcat? Looks like your secret isn’t being passed from Apache to Tomcat correctly. That is causing the 403 error when having secret and secretrequired set in your server.xml. What Apache version are you using?

For the 503 error… What does the apache error log say about it? Did you check it?

I made sure that the secret matched in Apache and in server.xml, and the services do start, but I still get the 403 error “The server understood the request but refuses to authorize it”. And the logs are NO help! They don’t show anything being wrong that I could see, which makes troubleshooting next to impossible.

[ /etc/httpd/conf]#systemctl restart httpd;/etc/init.d/lucee_ctl restart;tail -f /var/log/httpd/error_log /opt/lucee/tomcat/logs/catalina.out

  • Shutting down Lucee: . . . . . . . [DONE]

  • Starting Lucee: Using CATALINA_BASE: /opt/lucee/tomcat

Using CATALINA_HOME: /opt/lucee/tomcat

Using CATALINA_TMPDIR: /opt/lucee/tomcat/temp

Using JRE_HOME: /usr/lib/jvm/java-11-openjdk-

Using CLASSPATH: /opt/lucee/tomcat/bin/bootstrap.jar:/opt/lucee/tomcat/bin/tomcat-juli.jar


Using CATALINA_PID: /opt/lucee/tomcat/work/

Existing PID file found during start.

Removing/clearing stale PID file.

Tomcat started.

. . . [DONE]

Also, I did reinstall Lucee on top of Apache. I have a forward.conf file under /etc/httpd/conf.d that uses ProxyPass to proxy requests to the Tomcat backend:

<Directory “/WebProjects”>

AllowOverride All

Options +Indexes

Require all granted

DirectoryIndex index.cfm

<Proxy *>

Allow from

ProxyPreserveHost On

ProxyPass /CSD ajp://localhost:8009/CSD

ProxyPassReverse /CSD ajp://localhost:8009/CSD

Like I said earlier, The “secret” value in /etc/httpd/conf/httpd.conf and /opt/lucee/tomcat/conf/server.xml match, but nothing is reflected in the logs that there is anything wrong. And the Google Chrome Developer console just shows the 403 error and no other details.



That is still saying that your AJP secret isn’t being passed. I’m still missing how you are connecting your AJP in Apache2 to Tomcat. How and where are you adding the secret to your apache configuration? There is a known issue with passing secrets for AJP with Apache: According to Apaches docs you would need Apache2 from 2.4.42 and later (see mod_proxy_ajp.html documentation). But I even don’t know if you are connecting AJP through proxy_ajp or reverse proxy. If so, and according to your Apache2 Version, you may need to connect AJP with a rewrite rule then. But if everything is on one server, you may also just turn secretrequired to false in Tomcat.

Apache was configured by the installer as follows:

LoadModule modcfml_module modules/

CFMLHandlers “.cfm .cfc .cfml”

ModCFML_SharedKey “0060142b74ed40af02b5b82b5bf6079ee87d8e3b73c34c10dc1cb9ffad0a9955”

LogHeaders false

LogHandlers false

LogAliases false

VDirHeader false

I just tried setting “secretRequired” to”false” in server.xml, and restarted Apache and Lucee, and I still get the 403 error, and nothing useful in the logs. Is there an example on passing this secret between Apache and Lucee?



OK, I commented out ModCFML_SharedKey in /etc/httpd/conf/httpd.cong (so its commented out on both ends), restarted Apache and Lucee, and it appears to be working now. I think I’m good for now. I appreciate all of the help and suggestions.



If everything is running and its ok for you, then everything is fine.

Just to be clear and also for the ones who are going to read this post with similar issues: the modcfml_sharedKey has nothing to do with the AJP secretkey. The modcfml_secretkey is for the modcfml valve (see Mod_cfml Docs), not for the AJP connector (see Apache2 AJP docs . I’ve posted a link in a previous post above alread, but it looks like it has been overseen.

But if everything is running, then all is ok. If you have any further issues, we’ll be glad to help.

Harry, following on Andreas’ comment (and before we close this out), it could help you and all following along to have you confirm a) you have the mod_cfml valve defined in Tomcat/Lucee, and if so, b) does the above ModCFML_SharedKey value from the apache conf line match the sharedKey in the Tomcat conf file for the valve?

For more on that valve, see:

It can indeed be confusing to keep in mind all the different “secrets” which may come into play for different purposes. :slight_smile: Even the AJP config in tomcat has two different secret settings, one being requiredSecret from before and then secret being implemented after the ghostcat changes in early 2020 (not to mention that it then offered a new boolean secretRequired!)