Create a web application that contains the following jsp:
<html> <body> Trying to shutdown Tomcat, please press reload. <% System.exit(1); %> </body> </html>
Run Catalina (eg. catalina run) and load up the jsp. Notice in the Tomcat console that Tomcat has exited. What happens is that, by default, Tomcat is started without a security manager. The JSP, that was compiled into a servlet, runs in the same Virtual Machine as Tomcat itself, and System.exit causes the currently running VM to exit.
To prevent this from happening, run Tomcat with a Security Manager to not permit web applications to perform these kinds of operations. The security policy file used by Catalina is catalina.policy located in the [TOMCAT-HOME]/conf directory.
If you start Catalina again with the option -security (eg. catalina run -security, or startup -security), catalina.policy is taken into account.
If you then load the jsp, you would get the following error message in your browser window:
java.security.AccessControlException: access denied (java.lang.RuntimePermission exitVM) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at java.lang.SecurityManager.checkExit(SecurityManager.java:765) at java.lang.Runtime.exit(Runtime.java:91) at java.lang.System.exit(System.java:701) at org.apache.jsp.ExitTomcat$jsp._jspService(ExitTomcat$jsp.java:59) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) . . .