Well...
- The first suggestion is based on that the web application is a J2EE standard WAR package. Setup is done in "WEB-INF/web.xml" and "WEB-INF/jboss-web.xml"
- For the second suggestion I would suggest using google to find more information about tomcat valves. (It's more of a programming solution rather than configuration I'm afraid)