Hi Everyone,
I am not sure if something has changed recently (within lucee’s code / tomcat configs) but here are the symptoms…
I have a 403 forbidden response when attempting to call a method that is marked as REMOTE.
The same code works on our production server
which is
- Lucee 5.3.10.97
- Tomcat 8.5.39.0
- Java 11.0.19.7
- nginx 1.19
On our Test server, we have:
- Lucee 5.4.3.16
- Tomcat 9.0.82.0
- Java 11.0.20.8
- nginx 1.24.0
Our install process is;
- install tomcat
- Create a tomcat user and group
- create a www-data group
- add tomcat user to www-data group
- install mod_cfml_valve (1.1.11)
- Install nginx
- add nginx user to www-data group
- add nginx to tomcat group
- add tomcat to nginx group
- update / match the secret between tomcat / nginx for mod_cfml
- update the ownership of the “/app” diredctory to be
tomcat:www-data
both tomcat and nginx users are members of the www-data group
We have code that calls an api endpoint via cfhttp.
We have api keys and secrets defined in the headers.
(
The values are inserted dynamically via ENV vars.
I have verified that the values being passed in - match the values they are being compared against.
I have also changed these to be hardoded values (as a test) - but that does not help
)
local.h = new http(
method = "post",
url = this.apiEndpoint & "my.cfc?method=myMethod&returnformat=json",
charset = "utf-8",
timeout = 30
);
local.h.addParam(
type = "header",
name = "apiKey",
value = this.apiKey
);
local.h.addParam(
type='header',
name='Content-Type',
value='application/json'
);
local.h.addParam(
type = "body",
value = serializeJSON(qry)
);
local.r = local.h.send().getPrefix();
Here is the method signature of myMethod()
remote string function myMethod() {...}
However the result of calling:
local.r = local.h.send().getPrefix();
is 403 Forbidden.
I can call the same URL / using the same headers and body from CURL - and the request finishes successfully…
At first I thought I had a file / directory permissions issue…
And so I added the nginx and tomcat users to each others groups and the www-data group.
Restarted both services
This didn’t change anything.
I then found this forum post
And thought - “YES” that is exactly my issue…
so I added theat header in, too;
local.h.addParam(
type='header',
name='Accept',
value='*/*'
);
But that didn’t make any difference either.
(I of course restarted the Tomcat service ebtween attempts - and made sure I hit another URL, successfully - to ensure that the contexts were created)
Then just to rule it out - I did
chmod -R 777 /app
(restarted the server /hit a different url…)
And that didn’t help either.
I have exhausted all that I can think of and consumed all my google-fo for the the reading all the things that I could find that seemed to resemble something like what I was suffering from, too.
If anyone else has something to share - I would be most grateful!
4 posts - 2 participants