There are 2 ways to simplify the URL. One is to modify Tomcat's server.xml to use port 80 rather than its default of 8080 and to install the webapp in place of Tomcat's default root webapp.
The other way is to proxy Tomcat. The Apache HTTP server is often used to do this using either the old mod_jk connector or the newer Apache mod_proxy.
The second way has the advantage of keeping port 80 available for non-Java webapps and it minimizes the amount of customization needed to the Tomcat configuration and app deployment. The price is that you're now running 2 servers instead of 1.
The first way eliminates that expense, but the price is that you cannot just use Tomcat in its "out-of-the-box" configuration.
Customer surveys are for companies who didn't pay proper attention to begin with.
As for J2EE (Tomcat) security, the best place to start is any good book on servlets and JSPs. Read up on setting up web.xml for secure transport, security roles, and secured URLs. That will tell you what you need on the application side.
On the Tomcat side you simply deploy with a security Realm configured into the application Context. There are a number of Realm plugins that come with Tomcat, including JDBC, LDAP, and JAAS. There's also a simpler set of MemoryRealms that make testing easier by allowing you to define user IDs, passwords and security roles in an XML file (tomcat-users.xml).