HSTS headers for /proxyui does not seem to be working after updating web.xml . 

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

The curl request does not return the headers 

curl -k -I https://<servername>.example.com:<port no>/proxyui/
HTTP/1.1 302
Location: /proxyui/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-0009521c-18c4-1c67xxxxxxxxxxxxxxxxxxx7f&GUID=&SMAUTHREASON=0&METHOD=HEAD&SMAGENTNAME=-SM-imULHpfXu5M4KVs2n8XmFhh21q4XBTFwmxixbPzkAiOoAPGF%2bccZ71VXLSXWWk9B&TARGET=-SM-httpsxxxxxxxxxxxxxxxxxxxxx%3a<port no>%2fproxyui%2f
Transfer-Encoding: chunked
Date: Tue, 20 Jun 2023 13:54:10 GMT
Server: Apache-Coyote/1.1

Release : 12.8.x

- ProxyValve is our first request interpreter on Tomcat. 

- ProxyValve  checks the resource is protected from policy server. If protected it checks for session and if session present validates with policy server.

If everything is good ProxyValve  allows the request to flow down to hit next filters otherwise the request will return from proxy valve itself.

- In this case user hits /proxyui on tomcat port

ProxyValve received the request and checks is /proxyui protected from Policy Server, The resource is protected and no session present hence redirect to login.fcc page.

Though login.fcc is being served by tomcat but it is not yet hit the HSTS filter configured on web.xml  as proxyvalve did not allowed the request to flow down as it did not have valid session but resource is protected.

Once we have valid smsession then proxyvalve allows the request to hit next filters , when the request flows down the next filters and it hits configured HSTS  filter on web.xml then the response headers will be set.- Additional Questions 

*** Question 1 --> /proxyui/test.jpg where he got a 404 not found and headers set , aren't we suppose to redirect to protected page here since /proxyui is protected ?

Answer : looks like rule is not matching and proxyvalve is getting not protected and allowing request to flow down

No issues with accessing /proxyui/test.jpg as .jpg will be in ignore extension the resource will be let to be executed by Tomcat so headers will be set    

*** Question 2 --> for the / is it because, we don't allow root access on the Tomcat ? 

Answer : yes