Security things to consider by Mark Thomas from apache.org :
- use Remote Host/Address filters to limit access to administrative
applications
- enable access logging so if something does go wrong you have some
information to work with
- run Tomcat as a dedicated user with the minimum privileges possible