Comment 3 for bug 1799990

upgrade in this context means: "apt update && apt upgrade", so just a regular security update, not from any older distribution

/etc/init.d/tomcat7 sources /etc/default/tomcat7 (line 111-114) so TOMCAT7_SECURITY is read from their.
The conffile will be created from postinst in tomcat7_7.0.68-1ubuntu0.3_all.deb

If someone installs the last version from xenial-security and activate the security manager with the conffile -> he is getting a broken setup

I've checked the files from the deb-File:

/etc/init.d/tomcat7 creates the policy file at every start
at:
POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy"

but /usr/share/tomcat7/bin/catalina.sh is looking up in the old place ($CATALINA_BASE/work/catalina.policy)

so i think there is no symlink magic necessary. Please patch /etc/init.d/tomcat7 or /usr/share/tomcat7/bin/catalina.sh so booth uses the place.