When logging is in TRACE mode or lower, org.apache.catalina.loader.WebappClassLoader.findClass(String) calls getClassLoader() without a privileged block. With security enabled, this will cause a SecurityException if the RuntimePermission to getClassLoader is not granted.
I have committed a patch to trunk and proposed the fix for 5.5.x and 6.0.x
This has been fixed in 6.0.x and will be included in 6.0.17 onwards.
This has been fixed in 5.5.x and will be included in 5.5.27 onwards.