Tomcat should automatically allow all codebases to connect to ports 5432 and 3306. These are the ports for MySQL and PostgreSQL. In addition, all codebases should have permission to open connections to port 80 by default. This allows JSP/Servlets to handle SOAP and web-services (as a client). These are important features. Even if access for 5432 and 3306 are limited to 127.0.0.1 only, it would be a drastic improvement and permit things that the other languages for CGI and PHP can do implicitly. I see these types of help on the forum all the time and it is easy to identify which are the most important. I would actually recommend most common ISP services to be allowed. 80 - anywhere 143 - localhost 110 - localhost 25 - localhost 53 - udp/tcp localhost 3306 - localhost 5432 - localhost I could even hear arguments for active/passive mode FTP definitions and the ability to read/write to the filesystems such as the /tmp directory and the user's home directories. User could even define via the interface which codebase he is using and what he needs. Something. Right now the Tomcat support is too stringent and basically a glorified WAR deployer.