Enabling HSTS and SSL Redirection for Tomcat 9.x
This document details how to enable HSTS and SSL redirection (by default port 80 to 443) on a Tomcat 9.x instance. This will not work on 8.x versions of Tomcat because they changed some of the keywords for some reason.
Enable HSTS
Enabling HSTS (to include maxAgeSeconds = 31536000, includeSubDomains, and preload) requires two modifications of the Tomcat’s conf/web.xml file:
1. First, to enable HSTS support,Replace the following lines (by searching for “httpHeaderSecurity”):
<!--
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
-->
With the following:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
2. Then set the filter map so that all requests are covered by HSTS by uncommenting the filter-name for httpHeaderSecurity by searching for the “httpHeaderSecurity” again, which should present a commented out section under the “Built In Filter Mappings” section like so:
<!--<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
-->
Simply remove the beginning and ending comments so that it looks like this:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Force SSL Redirection
Redirecting from HTTP to HTTPS requests requires the modification of the server.xml to HTTP port (80) to redirect to port 443. Port 443 must already be configured to host SSL content with a valid certificate. This is done by searching server.xml for each instance of the “Connector” tag with port 80 and adding a description for redirectPort = “443”.
For instance, change this:
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
/>
To this:
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort = "443"
/>
Thank you, this work for me