Running tomcat with security manager "(request.getHeaders(key)).nextElement()" will cause following exception: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.util.buf) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.tomcat.util.buf.StringCache.toString(StringCache.java:282) at org.apache.tomcat.util.buf.ByteChunk.toString(ByteChunk.java:461) at org.apache.tomcat.util.buf.MessageBytes.toString(MessageBytes.java:209) at org.apache.tomcat.util.http.ValuesEnumerator.nextElement(MimeHeaders.java:423) To work properly you have to add "accessClassInPackage.org.apache.tomcat.util.buf" RuntimePermission. Using the core servlet api should not require that internal tomcat packages have to be exposed to the webapp.
Ok.