I would actually replace Tomcat with JBoss. You can re-use the Tomcat code on the built in Tomcat on JBoss. You could also do the following things: Only allow deployment of EAR files. If user deploys WAR, wrap it in an EAR, it's only zip files and descriptors to build. When deployed through Plesk, go through the XML descriptors and add security information to ensure nobody's stuff intermingles (enhanced security) Because introspection is being used, could also create necessary grants to codebases for user home directories, etc. Greatly enhances value of Plesk for ISPs. There are other extremely useful things that can be done with a full J2EE plugin that can't/aren't being done in Plesk with the Tomcat plugin.