Say, a web application is added to a few already existing ones, in an engine of Tomcat supposed to run on a host. This web application makes a RMI call and needs to run with a RMISecurityManager.
If <catalina.home>/bin/startup -security is run with ./catalina.bat edited to specify -Djava.security.manager=java.rmi.RMISecurityManager all the other web applications too will run with that - perhaps not good! The question is, how to enable a Security Manager per web application? Things may be similiar but lets' talk about Tomcat 5.
You can set a security manager just for one web app the same way you would in a desktop application, via "System.setSecurityManager(SecurityManager)". That's best done during initialization, perhaps during a contextInitialized event.