Hi All, After upgrading to Tomcat 11, I noticed Catalina.policy file removed from the tomcat. I haven't see any specific documentation regarding it in tomcat release note, migration guide etc.
But Gen AI provides the following input, please let me know the following input is right/wrong? The catalina.policy file was removed in Apache Tomcat 11 and later versions because the Java SecurityManager, which this file was used to configure, has been deprecated and removed in later versions of Java. This change aligns with Java's move towards more modern security practices. Here's a more detailed explanation: * SecurityManager Deprecation: The Java SecurityManager, which enforced security policies, has been deprecated in Java 17 and marked for removal in later versions. * Tomcat 11 Adherence: Tomcat 11 and later versions align with these Java changes by removing the SecurityManager and consequently the catalina.policy file. * Alternative Security Mechanisms: While the SecurityManager is gone, Tomcat still provides security features through other mechanisms like role-based access control and access control lists (ACLs). * Security Considerations: If you are using older versions of Tomcat (prior to 11), you may still need to manage the catalina.policy file to control permissions for internal Tomcat components and applications, according to OpenLogic<https://www.openlogic.com/blog/apache-tomcat-security-best-practices>. * Upgrade Implications: If you are upgrading to Tomcat 11 or later, you should remove the catalina.policy file and review your security configurations to utilize the new security mechanisms, as explained in the migration guide. Regards, Abirami.S
