The bug is easy to reproduce: just download Tomcat and start it using ./catalina.bat -security or ./catalina.sh -security The Tomcat Manager web application throws an exception. I checked a few versions and it looks like it works correctly (Tomcat Manager starts with security manager enabled) in versions below 7.0.50 and it doesn't work in 7.0.50 and later. I checked in on windows as well as in linux. We use RMI in our webapp and we need the security manager to run it. Giving all permissions in security policy doesn't seem to help: grant { permission java.security.AllPermission; }; Stack trace: INFO: Deploying web application directory C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\webapps\host-manager paź 27, 2014 4:34:57 PM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: The web application with context path [/host-manager] was not deployed because it contained a deployment descriptor [C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\webapps\host-manager\META-INF\context.xml] which may include configuration necessary for the secure deployment of the application but processing of deployment descriptors is prevented by the deployXML setting of this host. An appropriate descriptor should be created at [C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\conf\Catalina\localhost\host-manager.xml] to deploy this application. paź 27, 2014 4:34:57 PM org.apache.catalina.core.ContainerBase addChildInternal SEVERE: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [/host-manager] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:634) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1230) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1876) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) Caused by: org.apache.catalina.LifecycleException: Failed to process either the global, per-host or context-specific context.xml file therefore the [/host-manager] Context cannot be started. at org.apache.catalina.startup.FailedContext.startInternal(FailedContext.java:158) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 14 more paź 27, 2014 4:34:57 PM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: Error deploying web application directory C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\webapps\host-manager java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [/host-manager] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:634) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1230) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1876) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) paź 27, 2014 4:34:57 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\webapps\manager paź 27, 2014 4:34:57 PM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: The web application with context path [/manager] was not deployed because it contained a deployment descriptor [C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\webapps\manager\META-INF\context.xml] which may include configuration necessary for the secure deployment of the application but processing of deployment descriptors is prevented by the deployXML setting of this host. An appropriate descriptor should be created at [C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\conf\Catalina\localhost\manager.xml] to deploy this application. paź 27, 2014 4:34:57 PM org.apache.catalina.core.ContainerBase addChildInternal SEVERE: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [/manager] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:634) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1230) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1876) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) Caused by: org.apache.catalina.LifecycleException: Failed to process either the global, per-host or context-specific context.xml file therefore the [/manager] Context cannot be started. at org.apache.catalina.startup.FailedContext.startInternal(FailedContext.java:158) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 14 more paź 27, 2014 4:34:57 PM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: Error deploying web application directory C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\webapps\manager java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [/manager] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:904) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:634) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1230) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1876) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) paź 27, 2014 4:34:57 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\Users\joegreen\Desktop\apache-tomcat-7.0.50\webapps\ROOT paź 27, 2014 4:34:58 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] paź 27, 2014 4:34:58 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] paź 27, 2014 4:34:58 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1591 ms
Between 7.0.50 and 7.0.56 (current as of this writing), there have been 4 bugs identified and fixed that involve the manager webapp and security manager. Please re-test with 7.0.56.
I haven't stated it clearly but of course I have also verified this behavior in the newest 7.0.56 version of Tomcat. I have just done it again to be sure and yes, it also happens in 7.0.56.
This behaviour is by design. As mentioned in changelog (7.0.48): If a Host is configured with a value of <code>false</code> for <code>deployXML</code>, a web application has an embedded descriptor at <code>META-INF/context.xml</code> and no explicit descriptor has been defined for this application, do not allow the application to start. The reason for this is that the embedded descriptor may contain configuration necessary for secure operation such as a <code>RemoteAddrValve</code>.