Running Tomcat with a security manager

Create a web application that contains the following jsp:

Trying to shutdown Tomcat, please press reload.

Run Catalina (eg. catalina run) and load up the jsp. Notice in the Tomcat console that Tomcat has exited. What happens is that, by default, Tomcat is started without a security manager. The JSP, that was compiled into a servlet, runs in the same Virtual Machine as Tomcat itself, and System.exit causes the currently running VM to exit.

To prevent this from happening, run Tomcat with a Security Manager to not permit web applications to perform these kinds of operations. The security policy file used by Catalina is catalina.policy located in the [TOMCAT-HOME]/conf directory.

If you start Catalina again with the option -security (eg. catalina run -security, or startup -security), catalina.policy is taken into account.

If you then load the jsp, you would get the following error message in your browser window: access denied (java.lang.RuntimePermission exitVM)
	at java.lang.SecurityManager.checkPermission(
	at java.lang.SecurityManager.checkExit(
	at java.lang.Runtime.exit(
	at java.lang.System.exit(
	at org.apache.jsp.ExitTomcat$jsp._jspService(ExitTomcat$
	at org.apache.jasper.runtime.HttpJspBase.service(
	at javax.servlet.http.HttpServlet.service(
. . .