Explanation

Historically, Apache Tomcat could run applications with the Java Security Manager enabled by starting Tomcat with the -security option. This mechanism allowed web applications to run in a restricted Java security environment with restricted permissions configured through the catalina.policy file.

However, starting with Java 17, the Java Security Manager was deprecated for future removal by OpenJDK. The Tomcat documentation therefore introduced the following warning starting with Tomcat 9:

“As of Java 17, the SecurityManager has been deprecated with the expectation that it will be removed in a future Java version. Users currently using a SecurityManager are recommended to start planning for its removal.”

XWiki releases only support Java versions where the Security Manager is already deprecated or removed.

Related

• Configure Tomcat.