There has long been a standard that TCP/IP ports with numbers less than 1024 were "magic" and could only be held by privileged users. This was probably never as good an idea as it sounded, but it's entrenched, and while earlier versions of Windows didn't always enforced that rule, all the more recent editions I know of do.
The problem is, if a user is privileged, it can, if exploited, muck around with a lot more than just protected tcp/ip ports. So you really don't want to run anything as a privileged user if you can avoid it.
A lot of Internet apps have protections to limit the exposure. Programs such as the Apache httpd server "jail" themselves; they open ports 80 and 8443 and then launch their primary processors under an alternate, less privileged user ID.
Unfortunately, there's no "write-once/run-anywhere" way of doing things like that, so whatever user ID Tomcat launched under is the user ID it runs everything under and therefore use of ports 80 and 443 require a privileged user.
What's generally done to mitigate that is to proxy Tomcat with a safer server such as Apache. Apache is fairly low overhead, can offer ports 80 and 443 safely, and has the additional advantage that it allows a mix of
Java and non-java webapps, since Apache itself can run things like PHP and python cgi. And, of course, Apache is one of the most efficient servers of static content available.