For starters, I would make sure that every method that uses a connection, statement, or resultset, explicitly closes these resources in a finally block.
The commons/dbcp package (what Tomcat uses as it's connection pool manager) overrides the connection.close() method. In their implementation, the close method returns the connection to the pool. So.. if you don't call it, the connection object's reference in the connection pool is kept alive (can't be garbage collected) but can't be reused. This means that the pool has to keep creating connections but can never clean them up.
This is probably the most common form of Memory leak in a Java web application.