As for
J2EE (Tomcat) security, the best place to start is any good book on
servlets and JSPs. Read up on setting up web.xml for secure transport, security roles, and secured URLs. That will tell you what you need on the application side.
On the Tomcat side you simply deploy with a security Realm configured into the application Context. There are a number of Realm plugins that come with Tomcat, including
JDBC, LDAP, and JAAS. There's also a simpler set of MemoryRealms that make
testing easier by allowing you to define user IDs, passwords and security roles in an XML file (tomcat-users.xml).