In theory at least, no, nobody can view your files.
Tomcat "protects" its config files and anything under WEB-INF .
Does this mean it's 100% impossible? Certainly not. On the internet,
nothing is impossible.
Mostly, don't make some stupid configuration mistake (like mapping your
TOMCAT/conf d
Given that a firewall blocks everything except port 8080 (Tomcat) and 80
(Apache). Can someone crack in to view the server.xml. This assumes
that the cracker already know that it is Tomcat running (perhaps by
noticing .jsp).
--
Daniel Hinojosa
Java & XML Consultant | Developer | Instructor