I'm fairly new to web programming, and am wondering what are the more important security issues I ought to be aware of. I'm considering hosting rich web applications backed by JSP and servlets in a Debian/Tomcat environment. I might also add in a database to store user information. I know from the C side of things that you need to be paranoid in checking any request info you're given to guard against buffer overruns, but I would think that particular issue is precluded in Java.
Are there any good resources out there for securing your webserver?
There are lots and lots of security concerns. Two primary ones you need to watch out for are script injections and SQL injections. The former is pretty much handled by making sure that any data displayed on a page from an untrusted source is HTML-encoded (<c:out> takes care of that automatically), while the latter is generally handled by use of PreparedStatements for SQL.
And, of course, always use SSL to prevent snooping.
You might want to check out the Security forum for more information, or research articles dedicated to Web security.