Regarding point 1, read up on the <load-on-startup> element of the web.xml file. It lets you specify a servlet to be run on startup which can initialize things for you.
Regarding point 2, it sounds like some sort of access control is needed. Using the security-constraint, login-config and security-role elements of web.xml you can specify who has access to which URLs of your web app. You also have to configure a realm in
Tomcat; an easy way of doing that is
described here.
[ August 29, 2005: Message edited by: Ulf Dittmer ]