If there is a commented-out <security-constraint> or commented-out <servlet> tag and addWebXmlMappings="true", the JSP's servlet and servlet-mapping tags are placed incorrectly and Tomcat will not start due to "--" being inside a comment. Basically, it seems the web.xml is not parsed correctly when using addWebXmlMappings and you cannot have above tags commented out, or new servlet tags will be placed incorrectly and comment tags not respected.
Can you provide step-by-step instructions, how to reproduce it on a fresh instance of Tomcat?
In the webapp's web.xml, have display-name and then description. Before the listener, include the snippet below(commented out). Run an ANT script to precompile JSPs: <import file="${tomcat.home}/bin/catalina-tasks.xml"/> <jasper validateXml="false" uriroot="${work.core}" webXmlFragment="${jsp.generated.web.xml}" addWebXmlMappings="true" outputDir="${work.src}"/> The resulting web.xml ${jsp.generated.web.xml} is malformed. Here is the snippet from the web.xml before instructing jasper to addWebXmlMappings. <!-- <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> --> <!--<security-constraint> <web-resource-collection> <web-resource-name>Deny Direct Access</web-resource-name> <description>Deny direct access to JSPs. All such requests should be handled by the Container in the protection domain </description> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>NoOneCanAccess</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>NoOneCanAccess</role-name> </security-role>--> <!-- modify in web.xml in tomcat/conf/ <servlet> <servlet-name>jsp</servlet-name> <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> <init-param> <param-name>fork</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>xpoweredBy</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>compilerSourceVM</param-name> <param-value>1.5</param-value> </init-param> <init-param> <param-name>compilerTargetVM</param-name> <param-value>1.5</param-value> </init-param> <load-on-startup>3</load-on-startup> </servlet> -->
This has been fixed in trunk and proposed for 6.0.x
This has been fixed for 6.0.x and will be included in 6.0.26 onwards.