Thank you.  Chris, Chuck, Andre, Mark who had answered and I've done this far.  
My report.
- I installed the "URL rewrite" module on IIS 7.  To make short, it worked.  
http to https redirected then enforced hsts on the IIS site.
- but broke all the scripts run on Tomcat due to Strick Transport Security when 
- so I have to disable in/outbound of URL rewrite.
Back to square one.  We will not be able to upgrade Tomcat at this time.

Please help.


-----Original Message-----
From: Christopher Schultz [] 
Sent: Thursday, September 15, 2016 11:01 AM
To: Tomcat Users List <>
Subject: Re: Apache TomCat 5.5

Hash: SHA256


On 9/14/16 7:04 PM, André Warnier (tomcat) wrote:
> Mary, have a look here :
> Tomcat 5.5 was first 
> released about 10 years ago, and the last modification to it was in 
> 2012. The current "stable" version is Tomcat 8.5.5.
> For Open Source and free software such as Apache Tomcat, that means 
> that your chances of getting support and help for such an old version 
> are really not good, because most of the people which would be able to 
> help you probably do not run that version anywhere anymore. Even the 
> documentation is not directly available on-line anymore.
> Regarding your particular issue, it is even possible that the 
> requirement which you are mentioning is younger than Tomcat 5.5 and 
> cannot be met by such an old software version. It is even likely that, 
> considering the age of your Tomcat and the age of the Java JVM it is 
> probably running under, there are a whole lot of other security issues 
> with your server, which make it impossible to make it "secure as the 
> government requires".
> What I am saying is that you are probably wasting your time, and 
> ultimately your employer's time, with this approach.
> You seem to mention below that you are using Tomcat "with IIS".
> Maybe this IIS is a front-end to Tomcat, and users access Tomcat 
> always through IIS. If so, then as long as the connection between IIS 
> and Tomcat is secure (e.g. they run on the same host), then you should 
> probably take care of the SSL/HTTPS (and header) aspect on the IIS 
> front-end. That is, if you /really/ cannot upgrade Tomcat and if your 
> applications /really/ do not run under a newer version of Tomcat and 
> Java.

HSTS is just an HTTP header thing. It can be deployed on any version of 
anything basically back until the beginning of (HTTP) time.

It's slightly easier to do with more recent Tomcats because of the inclusion of 
both the HTTP Header Security Filter[1] and the rewrite valve[2] (oddly not 
mentioned in the "Valves" section of the "Configuration" reference), but anyone 
can write a simple Filter and add it to their web application to add these 
headers. In fact, I wouldn't surprised if Tomcat's HTTP Header Security Filter 
included with Tomcat 8+ would work just fine on Tomcat 5.5. You just need to 
grab the code, compile it, and drop it into your own application.

Since you mentioned IIS, I think you're right that IIS is probably a better 
place to configure these HSTS headers.

Mary, ultimately, Tomcat 5.5 should definitely be upgraded to Tomcat 8 or 
later. You should take your web application and deploy it on Tomcat
8.0 or Tomcat 8.5 in a testing environment and just see what happens.
You might be surprised: it will probably with right away without any 

Hope that helps,
- -chris

Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to