To secure the communication to and from your Tomcat servlet container you should use SSL. Usually there’s an Apache or Nginx in front of Tomcat to serve external clients’ request and this web front server is also supposed to provide SSL connectivity. However, this is not always the case and Tomcat may be accessed by clients directly so the SSL should be installed on Tomcat.
Furthermore, even if there’s a dedicated frontend, the communication between that frontend and Tomcat should be also secured with an SSL, especially if the two servers are in two different networks and there is a chance of network sniffing. The latter is not only a good security practice but often a requirement such as for the PCI SSC Data Security Standards.
Read more at Website-security.info…
