Directory displays are handled by the DefaultServlet as configured in the default web.xml file. There are a number of configuration parameters, including "listings" - set that to false and Tomcat will not do any directory listings. You could then handle security and file serving in a custom servlet for that application.
You can also create a modified version of DefaultServlet or use XSLT to customize the display generated by DefaultServlet.
subject: restricted files access using apache/jakarta tomcat