Does anybody actually use the permissions policy controls in tomcat?

While I can appreciate the point of the fine granularity in which you can enable security for every single little thing for each individual application in tomcat, in reality, it's an insane pain in the ass. Every single file, socket, everything for every single application. Sure if you're writing a "hello world" application, it's not too much to ask, but an enterprise sized application? That's insane. Does anybody actually use it, or does everybody just say "开发者_JAVA技巧*" for everything?

You would use the permissions policy in an environment where you can't trust the applications deployed in tomcat. There is a significant impact on performance, so in practice it is rarely used.