as Mr William Brogden is asking, just conclude some point.
based on J2EE blueprint & my experience , Apache + Tomcat is better approach. there's a strong voice in my mind, Apache is Web server[\B], Tomcat is [B]Application Server
1. Web server usually deployed before DMZ, and application server is
deployed within private network.
2. unless your application is not critical, means that it does cost you
much if it die.
3. the most simple & available internet attack is DoS.
I don't know how Tomcat is going to handle this, but I know Apache can
do some thing.
4. beside the security reason, I don't know how the application cluster
could be configured if no web server set up.
5. anyway, it is your own choice. Tomcat alone can handle the job, and
everyone feel comfortable with this, specially your customer. then
tomcat alone is alright.
There's also a rule, just keep it simple if the simple solution can
handle the job. as complex solution also introduce more failure points.
[ May 21, 2004: Message edited by: Lipman Li ]