Getting error 403 with Tomcat 7.0.100 and Apache server 2.4 when using "secret" with AJP

I had the same issue.

I had to add allowedRequestAttributesPattern=".*" to the connector

So in your case

<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="" allowedRequestAttributesPattern=".*" />

This is a new attribute which has been added with Tomcat 7.0.100.

Add a new attribute, allowedRequestAttributesPattern to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt)

Although I haven't figured out what attribute we are sending. But if the setting works for you with a wildcard, you are probably sending attributes as part of your AJP request which are not recognized.