System.exit(0) without grant possible under security manager

Question

System.exit(0); or
System.exit(2);

are posiible to execute without error, run with

java -Djava.security.manager -Djava.security.policy==app.policy -cp bin pl.com.App

app.policy:

grant {
      permission java.io.FilePermission "./*", "read,write";
      permission java.net.SocketPermission "localhost:18080", "accept, connect, listen";
      //permission java.util.PropertyPermission "java.home", "read";
};

security manager for write to file is working correctly, when I remove grant from app.policy, I correctly get Exception when execute new FileWriter("out.txt");

C:\workspace_tomcat\secureWeb>java -version

java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11)
Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02, mixed mode)

when I run System.exit(0); in webapp under Tomcat with security manager, I correctly get exception.

Answer 1

Javadoc states (http://docs.oracle.com/javase/7/docs/technotes/guides/security/permissions.html):

Note: The "exitVM.*" permission is automatically granted to all code loaded from the application class path, thus enabling applications to terminate themselves

This applies when you run your code as independent application. The same applies for Tomcat - it may shutdown itself. BUT this is not expanded to programs run within Tomcat container. These programs are fully controlled by Tomcat security manager: (http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html)