On Wed, Apr 16, 2025 at 9:14 AM S Abirami <s.abir...@ericsson.com.invalid> wrote: > > Hi All, > > After upgrading to Tomcat 11, I noticed Catalina.policy file removed from the > tomcat. > I haven't see any specific documentation regarding it in tomcat release note, > migration guide etc.
The security manager support has been removed in Tomcat 11. As Oracle reviewed usage of the feature, which added a TON of complexity in the Java codebase, Tomcat was found to be one of the very few "good" uses of it out there. This was not sufficient justification to keep it around, esp since the supposedly good use case had been mostly replaced with containerization. Rémy > But Gen AI provides the following input, please let me know the following > input is right/wrong? > > The catalina.policy file was removed in Apache Tomcat 11 and later versions > because the Java SecurityManager, which this file was used to configure, has > been deprecated and removed in later versions of Java. This change aligns > with Java's move towards more modern security practices. > Here's a more detailed explanation: > > * SecurityManager Deprecation: > The Java SecurityManager, which enforced security policies, has been > deprecated in Java 17 and marked for removal in later versions. > > * Tomcat 11 Adherence: > Tomcat 11 and later versions align with these Java changes by removing the > SecurityManager and consequently the catalina.policy file. > > * Alternative Security Mechanisms: > While the SecurityManager is gone, Tomcat still provides security features > through other mechanisms like role-based access control and access control > lists (ACLs). > > * Security Considerations: > If you are using older versions of Tomcat (prior to 11), you may still need > to manage the catalina.policy file to control permissions for internal Tomcat > components and applications, according to > OpenLogic<https://www.openlogic.com/blog/apache-tomcat-security-best-practices>. > > * Upgrade Implications: > If you are upgrading to Tomcat 11 or later, you should remove the > catalina.policy file and review your security configurations to utilize the > new security mechanisms, as explained in the migration guide. > > > > Regards, > Abirami.S --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
