I have some experience with building web applications that are placed in the Tomcat container, but I have rarely given much importance to security.
I would like to know more about the following functionalities and how they work in Tomcat. Some links to good references will do fine as well.
a.) Restricting direct access to a particular file/folder present in the web application's directory at any hierarchial level. b.) Restricting direct access to file(s) with a particular extension (and it can be any extension, not the ones we usually encounter like .txt, .html etc.)
By direct access, I mean a person should not be able to get to the resource/file by typing it's url/path on the container.
If you still want someone with the right credentials to be able to access those files -if effect password-protecting them- then servlet security may be what you're looking for. The http://faq.javaranch.com/java/ServletsFaq#security page has some pointers to get you started with that.