Upgrading Tomcat in JBoss 4.0.5

Developers that are extending and / or supporting applicaation deployed on JBoss 4.0.5 may receive security issues reports from customers with requirement to fix that.

JBoss 4.0.5 shipped with Tomcat 5.5.20. For the current time I'm writing this article Tomcat issued 5.5.30 update of the same major version. Tomcat team puts all recent security fixes in both 5.5.X and 6.0.X major versions thus it is enough to update Tomcat for the most recent version of the 5.5.X major line to have security issues fixed related to Tomcat in JBoss 4.0.5.

It's pretty easy to update Tomcat version there - download the most recent Tomcat 5.5.X as ZIP or TAR.GZ, extract it, find following 17 JARs in it and replace corresponding ones in server\<server>\deploy\jbossweb-tomcat55.sar e.g. "C:\jboss-4.0.5.GA\server\default\deploy\jbossweb-tomcat55.sar":

catalina-manager.jar
catalina-optional.jar
catalina.jar
commons-el.jar
commons-modeler-2.0.1.jar (to replace commons-modeler.jar)
jasper-compiler-jdt.jar
jasper-compiler.jar
jasper-runtime.jar
naming-resources.jar
servlets-default.jar
servlets-invoker.jar
servlets-webdav.jar
tomcat-ajp.jar
tomcat-apr.jar
tomcat-coyote.jar
tomcat-http.jar
tomcat-util.jar

Restart JBoss and check for your security issues :)

Many thanks to Steven J. Adamus from SAIC for the help to resolve this issue.