• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

403 Forbidden Access after installing Update 14

Explorer ,
Sep 27, 2020 Sep 27, 2020

Copy link to clipboard

Copied

I installed ColdFusion update 14 and all of my ColdFusion websites ( except the administrator website ) return a 403. Please help. This is a WIndows Server 2012 ColdFusion 2016 build. Re-installing is not an option. I have removed the update for now until I can find a solution.

 

HTTP Status 403 – Forbidden


Type Status Report

Description The server understood the request but refuses to authorize it.


Apache Tomcat/8.5.42

Views

2.6K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Sep 28, 2020 Sep 28, 2020

You will indeed get the same error, because the updates are indeed cumulative. Your frustration is understandable and shared. But as is explained in the technote bkbk pointed to (or elaborated in my blog posts), that update (and update 8 to cf2018, bit from March 2020) will cause this error FOR SECURITY REASONS (forced on us by Tomcat), until one also updates the wsconfig to match the security change implemented by the cf update.

 

Is it frustrating? Yes. Is it documented in the technote? Yes. B

...

Votes

Translate

Translate
Community Expert ,
Sep 27, 2020 Sep 27, 2020

Copy link to clipboard

Copied

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 27, 2020 Sep 27, 2020

Copy link to clipboard

Copied

Hi Charlie, funnily enough, your link is itself giving me a 503 error. 

BKBK_0-1601275967293.png

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

Try again. It's Adobe's site, where I'd posted that blog entry. It worked when I posted it and works now. 

 

But if it still fails for you, it's a shorter version of a more extended post I did here:

 

https://www.carehart.org/blog/client/index.cfm/2019/11/13/when_how_update_cf_web_connector


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

Thanks, Charlie. Both links work now! 🙂

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 27, 2020 Sep 27, 2020

Copy link to clipboard

Copied

Why install Update 14 anyway? The current update level of ColdFusion 2016 is 16, and updates are cumulative.

 

If I were you I would apply Update 16.  If you continue to get 403 or 503 errors, go to the page https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-14.html . Scroll down to the "Troubleshooting" section and apply the suggestions there.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

Thanks BKBK. I did not know they were cumulative. I will install update 16 and see if we are good to go and let you know. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

I installed update 16 and the same forbidden error returns. "The server understood the request but refuses to authorize it." 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

You will indeed get the same error, because the updates are indeed cumulative. Your frustration is understandable and shared. But as is explained in the technote bkbk pointed to (or elaborated in my blog posts), that update (and update 8 to cf2018, bit from March 2020) will cause this error FOR SECURITY REASONS (forced on us by Tomcat), until one also updates the wsconfig to match the security change implemented by the cf update.

 

Is it frustrating? Yes. Is it documented in the technote? Yes. But most folks don't read the update technotes. And even then, the discussion there is rather meager. These are reasons I wrote my posts, to help folks and try to explain it all. Most important, that first post I offered tried to share the least one needed to know--but I could have made it still less verbose. My other post elaborates on the issues, for those needing more. 

 

And this problem will affect folks using cf for years to come (until Adobe creates a new installer for cf2018 that includes the then latest updates out it the box--and if they would do that for cf2016, whose updates end in 2021).

 

The good news is that for most, simply upgrading the connector (as outlined in those resources) will solve the "problems" introduced with those March 2020 cf updates. And if that's not enough, they outline the couple of additional config changes that may be needed, again due to Tomcat issues. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
May 09, 2022 May 09, 2022

Copy link to clipboard

Copied

I know this is an old thread and I've read everything there is about the 403 problem, but none of them could fix it for me. I'm running CF 2016 on IIS 10.

After I installed Update 14, I updated the connectors and added allowedRequestAttributesPattern=".*" to server.xml in my CF instance. But I got a 403 on my website. So I deleted the connector and created it again, using the wsconfig GUI tool. It made no difference. The server.xml connector line looks like this:

<Connector connectionTimeout="60000" maxThreads="500" port="8012" packetSize="65535" protocol="AJP/1.3" redirectPort="8445" secret="{long secret number}" tomcatAuthentication="false" allowedRequestAttributesPattern=".*" />

I thought if I then try applying Update 17 it might help, but it didn't. I've read all of Charlie's articles but 4 hours later I'm still completely stuck. (If only there was a CF 2016 installation exe that had Update 17 already applied, then I wouldn't have to go through the many steps of patching.)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 09, 2022 May 09, 2022

Copy link to clipboard

Copied

Gary, I think you're very close. First, the secret attribute you show (on the AJP connector line in the server.xml file) should be requiredSecret. Did you edit that by hand? The cf update would have put in the correct attribute for you.

 

Then it's the secret in the worker.properties file that must match this. See the blog post I've done, as well as comments from myself and others (that you must expand to see, on the cf portal blog post comments).

 

Finally, you're right in your the lament regarding the need of a cf2016 installer which would fold the updates in, but that won't happen given that cf2016 reached end of life in Mar 2021.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
May 10, 2022 May 10, 2022

Copy link to clipboard

Copied

Hi Charlie,

 

Thanks for your super quick reply. I didn't edit the "secret" attribute, it really does say that as the default. I checked my initial backup copy of server.xml and it says that too. Neither update 14 or 17 used "requiredSecret", even after deleting and adding a new connector using wsconfig.

 

I just updated the file as you suggested, restarted the CF service, but still got a 403. Browsing the site on the local web server showed the 403 error from Tomcat "The server understood the request but refuses to authorize it." and browsing from a remote desktop showed the 403 coming from IIS. I found that interesting but I guess that's normal.

 

There is no "secret" in the workers.properties file. The content is:

worker.list=WS01_DEV_1

worker.WS01_DEV_1.type=ajp13
worker.WS01_DEV_1.host=localhost
worker.WS01_DEV_1.port=8012
worker.WS01_DEV_1.connection_pool_size=500
worker.WS01_DEV_1.connection_pool_timeout=60
worker.WS01_DEV_1.max_reuse_connections=250

Does this file look how you'd expect it to be, or is it missing something too?

Thanks.

Gary.

Out of curiousity, are Adobe folding the latest updates into current 2018 and 2021 installers? I bet they're not as they've never done that before.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 10, 2022 May 10, 2022

Copy link to clipboard

Copied

Hi,

 

please edit the file with your secret from server.xml

worker.list=WS01_DEV_1

worker.WS01_DEV_1.type=ajp13
worker.WS01_DEV_1.host=localhost
worker.WS01_DEV_1.port=8012
worker.WS01_DEV_1.connection_pool_size=500
worker.WS01_DEV_1.connection_pool_timeout=60
worker.WS01_DEV_1.max_reuse_connections=250
worker.WS01_DEV_1.secret={Your Secret Key}

This will require IIS restart. 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
May 10, 2022 May 10, 2022

Copy link to clipboard

Copied

Thank you Priyank! That fixed it! 🙂

 

So the question should be asked why Update 14, and indeed Update 17 applied afterwards, both failed to include the secret in the workers.properties file? Wsconfig was used to both update and create the connections.

 

If I delete the connector from wsconfig and add it again, the workers.properties file is written without the secret - the whole line is missing and it's reproducable every time. I've got Update 17 installed. This must be a bug?

 

I've made careful notes of this so we can apply the updates to production servers. Thank you again.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 10, 2022 May 10, 2022

Copy link to clipboard

Copied

@Gary__F  Glad that suggestion worked for you. 

 

That is very strange behavior, it should add the secret entry into workers.properties. Either it could be an update installation issue or may be a configuration. 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 10, 2022 May 10, 2022

Copy link to clipboard

Copied

Gary, yes, the wsconfig tool should have done that. First, we're you using "run as admin"? You might see if that makes a difference. Second, if you remove the connector in question (using the wsconfig tool), is that worker.properties deleted? Please confirm. If it's not, then like Priyank says something seems surely amiss...though I have never heard of that happening.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 10, 2022 May 10, 2022

Copy link to clipboard

Copied

Separately, Gary you asked me above "are Adobe folding the latest updates into current 2018 and 2021 installers? I bet they're not as they've never done that before."

 

Well, you write that as if I suggested it, but I did not. Still, the answer is a qualified yes, Adobe has on occasion created new installers that fold in the then-latest updates.

 

But to be clear, they do not do that for each update, if that's what you mean. With cf2021, they did it this past Sept, with the release of update 2. With cf2018, they did it Apr 2019 with its release 2. Usually it's done when some major change happens, like to support a new OS.

 

Sadly, this does mean that we can then go another year or two where no new installer has been released (even while the version IS supported), and so people are dealing with back-issues from earlier updates like in this case.

 

We can wish that Adobe would see the value of creating new installers more often, even just once a year.  They don't seem to see the value (for us, and them) over the cost (to them) to go through that process. I would 100% support encouraging them to reconsider. Let's see if Priyank may have any comment. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
May 10, 2022 May 10, 2022

Copy link to clipboard

Copied

LATEST

Hi Charlie. Yes, I run wsconfig as administrator.

 

I removed the connector using wsconfig and the entire config/wsconfig/2 folder was deleted, which contained the workers.properties file.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

Adobe says to "upgrade the connectors" and gives little information on how to do that. Can anyone assist in the steps needed to upgrade the connectors using the wsconfig tool?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

I figured out how to upgrade the connectors and we are now working! Woohoo. To do this, run the wsconfig.exe found in your ColdFusion install directory. Then select the IIS web site you want to upgrade the connectors for. It takes about 20 seconds to complete the update.

 

Thanks all for the links.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

Great to hear, and glad to help. I was writing my last note (how to upgrade the connectors) while you were sharing the good news. Thanks also for marking one of my answers as correct, though I hope readers will see and succeed in getting to the first link first. 🙂 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

Hi Pokermon

Glad to hear you're up and running! 🙂

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 28, 2020 Sep 28, 2020

Copy link to clipboard

Copied

I offer more on how to update the connectors here:

 

https://www.carehart.org/blog/client/index.cfm/2019/11/13/when_how_update_cf_web_connector


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation