A further security consideration is http
versus https. Unless you're only making this server available to trusted users on a LAN, you shouldn't be able to access anything in the app via HTTP, only HTTPS. It's a real pain to set up https (SSL/TLS) in Tomcat and so for general outside client access, I recommend that you front it wih a reverse proxy such as Apache or Nginx. They are much easier to secure and offer the additional advantage that they don't have to run under admin security rules to use ports 80 and 443.
A good authentication and authorization system is a must as well. DON'T try to invent one. It WILL be hackable. Instead use the
JEE built-in container A&A system of a well-tested third party system like Spring Security.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.