Apache Tomcat is one of the most popular Java application Servers in the world. It is lightweight, starts in seconds, is flexible and supports numerous hot deployment options.

If you are going to use apache tomcat for java EE project deployment, then you should always follow these guidelines for better performance and security.

1. Secure manager access

Add manager role user in tomcat conf/tomcat-users.xml file. Limit the manager access to a known IP address.
So, the final configuration looks like this

<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="your username here" password="your password"
roles="manager-gui,manager-script"/>
<Context privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>
</Context>

Add above lines in tomcat conf/tomcat-users.xml file under tomcat-users section.

2. Setup Memory Parameters

Check how much physical memory you have, and set PermSize (permanent generation heap) , JVM Xms and Xmx accordingly.
To set up these enviorment create setenv.sh file in tomcat bin/ directory. Change permission of file to “execute”.
Add below lines to this file

if [ "$1" != "stop" ] ; then
 export JAVA_OPTS="-XX:PermSize=64m"
 export CATALINA_OPTS="-Xms64m -Xmx128m"
fi

3. Change tomcat default port

Run tomcat on different port number other than its default port number 8080.
It is a bad idea to run tomcat service on ports that are below 1024, because you need to run tomcat as a root user, and only root users have access to those ports. It is better to run Apache server on port 80 and use mod_jk (or mod_proxy_ajp) to send proxy requests to tomcat or you can use nginx server.
To change tomcat default port edit conf/server.xml file
Find connector tag in the file. which looks like

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />

Then change the port to anything you wish.

4. Change default shut-down port

It is good to change default shut-down port 8005 of tomcat to some other port from the security point of view.
To change tomcat default port open conf/server.xml file.
Find Server tag in the file. which looks like

<Server port="8005" shutdown="SHUTDOWN">

Then change the port to anything you wish.
If you don’t want to change the shut-down port, then restrict the shut-down port 8005 access to local by using a firewall.

Also here are some general guidelines for production deployment

  1. Setup log rotates on tomcat logs (mainly catalina.out) so that disk space can be recovered. Also if log rotates are not set, the size of catalina.out file may go into GBs which makes tomcat sluggish.
  2. Add a load balancer if you can afford to, as it allows to scale horizontally with more tomcat additions.
  3. Always use domain name for API endpoint instead of using IP address. This way, if you lose the IP address, you can still re-configure your DNS to point to a new server.
  4. Always use SSL certificate and HTTPS for API access.

The USP of Apache Tomcat is that it is an open source. Tomcat is under active development for almost 15 years now. This makes it production-ready in terms of stability, performance and security. If you follow above guidelines you should have a stable and secure deployment for your JEE applications.