In the same way the SecurityManager protects you from an untrusted applet running in your browser, use of a SecurityManager while running Tomcat can protect your server from trojan servlets, JSP's, JSP beans, and tag libraries. Or even inadvertent mistakes.
Imagine if someone who is authorized to publish JSP's on your site invadvertently included the following in their JSP:
<% System.exit(1); %>
Every time that JSP was executed by Tomcat, Tomcat would exit.
Using the Java SecurityManager is just one more line of defense a system administrator can use to keep the server secure and reliable.
Still, running with a SecurityManager is definitely better than running
This is just a short summary of the System SecurityManager Permission classes applicable to Tomcat. Please refer to the JDK documentation for more information on using the below Permissions.
Controls read/write access to JVM properties such as java.home.
Controls use of some System/Runtime functions like exit() and exec().
Controls read/write/execute access to files and directories.
Controls use of network sockets.
Controls use of multicast network connections.
Controls use of reflection to do class introspection.
Controls access to Security methods.
Allows access to all permissions, just as if you were running Tomcat without a SecurityManager.