Commandbox: Cannot access, no password is defined

Hi,

I came across a strange issue today that I couldn’t access Server Admin page.

I created an empty folder and run box start. The server started okay. When I tried to access Server Admin page, it gave the following error:

Lucee 5.4.4.38 Error (expression)
Message	Cannot access, no password is defined
Stacktrace	The Error Occurred in
/admin/web.cfm: line 179
called from /admin/server.cfm: line 2
Java Stacktrace	lucee.runtime.exp.ExpressionException: Cannot access, no password is defined
  at lucee.runtime.config.ConfigServerImpl.checkAccess(ConfigServerImpl.java:693)
  at lucee.runtime.config.ConfigWebImpl.getConfigServer(ConfigWebImpl.java:179)
  at lucee.runtime.tag.Admin._doStartTag(Admin.java:613)
  at lucee.runtime.tag.Admin.doStartTag(Admin.java:364)
  at web_cfm$cf.call(/admin/web.cfm:179)
  at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1056)
  at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:948)
  at lucee.runtime.PageContextImpl.doInclude(PageContextImpl.java:929)
  at server_cfm$cf.call(/admin/server.cfm:2)
  at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:1056)
  at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:948)
  at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:219)
  at lucee.runtime.listener.ModernAppListener.onRequest(ModernAppListener.java:107)
  at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2493)
  at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2478)
  at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2449)
  at lucee.runtime.engine.Request.exe(Request.java:45)
  at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1215)
  at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1161)
  at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
  at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
  at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
  at org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:54)
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
  at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
  at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
  at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
  at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
  at runwar.undertow.SSLCertHeaderHandler.handleRequest(SSLCertHeaderHandler.java:161)
  at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
  at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
  at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
  at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
  at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
  at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
  at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
  at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
  at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
  at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:175)
  at io.undertow.server.handlers.HttpContinueReadHandler.handleRequest(HttpContinueReadHandler.java:69)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at runwar.undertow.WelcomeFileHandler.handleRequest(WelcomeFileHandler.java:39)
  at io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:104)
  at runwar.undertow.SiteDeployment$1.handleRequest(SiteDeployment.java:162)
  at io.undertow.predicate.PredicatesHandler.handleRequest(PredicatesHandler.java:141)
  at io.undertow.server.handlers.DisallowedMethodsHandler.handleRequest(DisallowedMethodsHandler.java:62)
  at io.undertow.predicate.PredicatesHandler.handleRequest(PredicatesHandler.java:113)
  at io.undertow.server.handlers.encoding.EncodingHandler.handleRequest(EncodingHandler.java:72)
  at runwar.undertow.LifecyleHandler.handleRequest(LifecyleHandler.java:143)
  at runwar.undertow.SiteDeployment$4.handleRequest(SiteDeployment.java:345)
  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393)
  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
  at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
  at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2019)
  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1558)
  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1449)
  at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
  at java.base/java.lang.Thread.run(Thread.java:829)
 
Timestamp	3/22/24 9:44:32 AM CST

I tried copying password.txt to /Users/myleslee/.CommandBox/server/2639F7434565D5B0C90E070356410450-pdm-server2/lucee-5.4.4.38/WEB-INF/lucee-server/context, it didn’t work.

What could possibly cause this error?

My other old sites work fine. I tried server forget and it doesn’t help.

****************************************************************************************************
*                                         About CommandBox                                         *
****************************************************************************************************
*                                                                                                  *
*                                                                                                  *
*  CommandBox Version: 6.0.0+00787                                                                 *
*  CommandBox Authors: Brad Wood, Luis Majano, Denny Valiant                                       *
*  CommandBox Binary   /usr/local/Cellar/commandbox/5.6.1/libexec/bin/box                          *
*  CommandBox Home     /Users/myleslee/.CommandBox                                                 *
*  CFML Engine:        Lucee                                                                       *
*  CFML Version:       5.4.4.38 stable (Gelert)                                                    *
*  Java Version:       11.0.16.1 (Homebrew)                                                        *
*  Java Path:          /usr/local/Cellar/openjdk@11/11.0.16.1_1/libexec/openjdk.jdk/Contents/Home/bin/java*
*  OS Username         myleslee                                                                    *
*  JLine Terminal      org.jline.terminal.impl.PosixSysTerminal                                    *
*  Runwar Version      5.0.0 (/Users/myleslee/.CommandBox/lib/runwar-5.0.0.jar)                    *
*                                                                                                  *
*                                                                                                  *
****************************************************************************************************

Thanks in advance.

Looks like a bug in Lucee. I’d be asking them

I have also been receiving this, but only while using a Lucee server in CommandBox. My manual Lucee installs did not do this. I have been “mitigating” it by accessing the admin URLs from different a domain and then a sub-domain for the different admin pages, i.e. mydomain.com/lucee/admin/web.cfm and www.mydomain.com/lucee/admin/server.cfm. (Note the www.)

But, you are not the only one experiencing this! And it does seem unique, in my experience, to CommandBox.

That’s so odd. I use Lucee every day on CommandBox and I’ve never seen that error. I also have a default Lucee password set via CFConfig so I guess I also probably always have a lucee password, which is likely the difference. When you install Lucee via their installer, it also always sets a password. I have a feeling Lucee has a bug regarding handling the scenario where a password hasn’t been set, but the only people who encounter it are ones using an installation of Lucee with no password set.

Ok, I think I figured this out.

TLDR; if you get this error, check if you have a lucee_admin_pw_server cookie for the domain used to access the Lucee admin. If so, delete it.

As for further explanation, I experienced the error today and found this thread. When no fix was offered, and others reported seeing it, I dug in. And besides seeing the cause and a solution (more than one), I think I can see also why only some folks would hit it.

1 - First, if we take a look at the code at the listed line 179 of the admin/web.cfm file (while the OP was running 5.4.4 I was running 5.4.5 and got the same line number reported), it’s the last of these 3 lines:

		<cfadmin action="connect"
			type="#request.adminType#"
			password="#cookie['lucee_admin_pw_#ad#']#">

So it’s about the cookie tracked for the Lucee admin password, then being used by Lucee’s cfadmin tag to log us in.

2 - As for why only some may experience it, note that folks who leave the “remember me for” option on the Lucee login page set to the default of “session” will never have that cookie set. It’s only set if you choose one of the other options. (At least that’s what I found in testing: it’s not even set as a “session” cookie in the browser, for those familiar with that concept.)

And to be clear, the code above is indeed preceded by a condition checking for its existence: !structKeyExists(session, "password" & request.adminType) && structKeyExists(cookie,'lucee_admin_pw_#ad#'). So that was a logical choice (on the face of it), for a “normal” implementation of Lucee.

3 - And in my case I did have that cookie set (the “ad” variable must have resolved to “server”, as the only cookie I had for the request was indeed lucee_admin_pw_server).

And so I deleted that cookie (in the browser dev tools, in its “application” tab, then “storage”, then “cookies”, which while viewing the page for the login will show what cookies are set for that domain), and immediately I got the login page, as expected.

4 - Finally, as for why the cookie would be “wrong” and make this code fail, it seems to be because I had been using the same browser to visit the admin of an existing (non-commandbox) Lucee instance, which had a different password. That’s why this cfadmin was failing.

It would seem only to be a snag when one may visit “different” Lucee instances using the same domain in your browser, which was 127.0.0.1 in my case.

BTW, browsers do NOT save different cookies depending on the PORT used to visit a site, so one could also hit this same problem using ONLY commandbox, if somehow the password was not the same among all Lucee instances (which can be enforced via commandbox config, I realize).

5 - So bottom line, to anyone hitting this error, you actually have a few choices:

• clear the cookie (might be easiest and most effective for some)
• use a different browser (worth trying if you don’t want to “mess with the cookies”)
• open an incognito/private window in your browser (ditto)
• use a different IP address for your request. (A little-known trick is that you can change the last number of 127.0.0.1 to be 2 or 3, and so on, and it will still resolve to the local machine, and now the browser WILL create unique cookies for each.)

Hope that helps someone.

What a great finding! Thank you so much!

Before your solution arrived, I had to download the latest 6.0 lucee.jar & *.ico and replace the existing ones (/WEB-INF/lib/lucee-5.4.4.38.jar, /WEB-INF/lucee-server/patches/5.4.4.38.lco), then the Admin page would show up okay, and then I would revert 6.0 jar & ico back to 5.4.4.38…

I just tried your solutions and they work like a charm!

Wonderful to hear, Myles, and thanks for the update and kind regards.

I look forward to hearing if the others who experienced this issue may find it to resolve things for them…or if perhaps anyone discerns a different explanation or resolution.