Mary -
First, sorry for the top-post.

I noticed in your original post that you have upgraded to the latest Java 8, 
and nearly latest Windows version (at least new than the release available when 
Tomcat 5.5 was first available).  I don't understand why you can't just go 
ahead and upgrade to the latest Tomcat 8 or 8.5 implementation.  As others have 
said, it is quite likely that your application will run just fine.
Without more details of your exact implementation environment, I can't give 
full advice, but here are some things to take into account:

1) If you are terminating SSL at the IIS7 client interface, then that is where 
you need to enable HSTS. It only needs to be on the IIS7-Tomcat conversation if 
that is also using SSL on its linkage (not normally needed for an internal 
network, but your requirements may specify otherwise).  Strip it out of headers 
on the way to Tomcat and add it back on the way to client if necessary.

2) When going from such an old Version of Tomcat to a newer one, be aware that 
Tomcat configuration files and options HAVE changed.  You cannot just copy 
server.xml, context.xml, etc. files from the old version to the new.  You must 
migrate your settings to the new versions.  This is not that difficult or 
time-consuming, but it is best to do this manually.

3) Beware of any changes to provided valves/filters that you rely on.  Changes 
to those in new versions may require you to handle them differently.

4) Do this all in a test/dev environment, possibly several times, before even 
thinking about changing production.

5) If the addition of an additional/unknown HTTP header is causing problems 
with your backend processing, then you have more problems than you think you 
do. You application is in violation of the most basic tenets of the HTTP 
protocol stack, as those headers should just be ignored according to the 
protocol.  Your application may stop working correctly in the next few months 
even without you doing anything to your current setup.


> -----Original Message-----
> From: Pham, Mary (NIH/OD/ORS) [E] []
> Sent: Wednesday, September 21, 2016 9:52 AM
> To: 'Tomcat Users List' <>
> Subject: RE: Apache TomCat 5.5
> Thank you.  Chris, Chuck, Andre, Mark who had answered and I've done
> this far.
> My report.
> - I installed the "URL rewrite" module on IIS 7.  To make short, it
> worked.  http to https redirected then enforced hsts on the IIS site.
> - but broke all the scripts run on Tomcat due to Strick Transport
> Security when HTTPS.
> - so I have to disable in/outbound of URL rewrite.
> Back to square one.  We will not be able to upgrade Tomcat at this time.
> Please help.
> -Mary
> -----Original Message-----
> From: Christopher Schultz []
> Sent: Thursday, September 15, 2016 11:01 AM
> To: Tomcat Users List <>
> Subject: Re: Apache TomCat 5.5
> Hash: SHA256
> André,
> On 9/14/16 7:04 PM, André Warnier (tomcat) wrote:
> > Mary, have a look here :
> > Tomcat 5.5 was first
> > released about 10 years ago, and the last modification to it was in
> > 2012. The current "stable" version is Tomcat 8.5.5.
> >
> > For Open Source and free software such as Apache Tomcat, that means
> > that your chances of getting support and help for such an old version
> > are really not good, because most of the people which would be able to
> > help you probably do not run that version anywhere anymore. Even the
> > documentation is not directly available on-line anymore.
> >
> > Regarding your particular issue, it is even possible that the
> > requirement which you are mentioning is younger than Tomcat 5.5 and
> > cannot be met by such an old software version. It is even likely that,
> > considering the age of your Tomcat and the age of the Java JVM it is
> > probably running under, there are a whole lot of other security issues
> > with your server, which make it impossible to make it "secure as the
> > government requires".
> >
> > What I am saying is that you are probably wasting your time, and
> > ultimately your employer's time, with this approach.
> >
> > You seem to mention below that you are using Tomcat "with IIS".
> > Maybe this IIS is a front-end to Tomcat, and users access Tomcat
> > always through IIS. If so, then as long as the connection between IIS
> > and Tomcat is secure (e.g. they run on the same host), then you should
> > probably take care of the SSL/HTTPS (and header) aspect on the IIS
> > front-end. That is, if you /really/ cannot upgrade Tomcat and if your
> > applications /really/ do not run under a newer version of Tomcat and
> > Java.
> HSTS is just an HTTP header thing. It can be deployed on any version of
> anything basically back until the beginning of (HTTP) time.
> It's slightly easier to do with more recent Tomcats because of the
> inclusion of both the HTTP Header Security Filter[1] and the rewrite
> valve[2] (oddly not mentioned in the "Valves" section of the
> "Configuration" reference), but anyone can write a simple Filter and add
> it to their web application to add these headers. In fact, I wouldn't
> surprised if Tomcat's HTTP Header Security Filter included with Tomcat
> 8+ would work just fine on Tomcat 5.5. You just need to grab the code,
> compile it, and drop it into your own application.
> Since you mentioned IIS, I think you're right that IIS is probably a
> better place to configure these HSTS headers.
> Mary, ultimately, Tomcat 5.5 should definitely be upgraded to Tomcat 8
> or later. You should take your web application and deploy it on Tomcat
> 8.0 or Tomcat 8.5 in a testing environment and just see what happens.
> You might be surprised: it will probably with right away without any
> modifications.
> Hope that helps,
> - -chris
> [1]
> [2]
> Comment: GPGTools -
> Comment: Using GnuPG with Thunderbird -
> lcOfn/2L0dTfhESp/7EHqAcJaTvCHT6JH+RKplQ4gito4cJ8F2tp0HBiLRNukxjB
> dxnZL7q5j6Z/41vrLMWX94WI4zz1PMqlhrEMI0/pEtRQFx07h0aE7WLp4CY6JMTl
> dCGcuqkEgzNmjL1se+3+Aj3uVd0QAYESfT24AbLK0MHyrkmtIhRfr8W03C/ouD8M
> 9xcZ9f9BemvneI2zwiUelXaTvE4sCkPf3ULp/xw0MNYGLgl6VS8yByt1KwQsFzal
> YPK+UL+k/JK6sxvGpsVLTvmY6StWYXOJZzp4C38YHxj7L5exDpDc/gCAClGm5kM/
> uS1vVLL8jlkxby6k3mk5eU43M/HZkgAL+3FNjYCOcnvlsyJKsvQ9qai7Mal2N1Zt
> jolFNDZCxWxfXLBPM/BLnfaYTYS6FXWZmAT5QrbnqAoxG9iKWsiMloPym8xdO36+
> vIxOeNevWZif7MbpRUw84oOtcCAm1aZcyjXjwxQwWNciczocZg8d3DSJY53wqcrL
> nAx5zVbxE5h3nBKSuuNl3s1WGXf7hySYxWyCg7Ya67EsGGeDT1rlLaotXI8PdKOL
> qB32fz6PRJZspxJDefQGSHWrjq3gBAqeNFzp/3vj9tmvdCDkdzT0xNJH9s/6YGVE
> 7whnGB6jlseII/fYe6s1
> =hetE
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to