What should you check before putting an internal Java app online in the UK?

If you are preparing an internal Java app for launch, the biggest mistakes usually happen before the first user logs in: unclear access control, weak deployment checks, missing JVM tuning, and no rollback plan. For a UK team running a business tool, admin portal, workflow app, or internal dashboard, the goal is not just to “get it online”, but to make sure it is secure, supportable, and easy to manage from day one.

If you are using a managed hosting platform with Plesk and a Java hosting extension such as My App Server, you can run your own Apache Tomcat instance or private JVM inside a shared hosting account. That makes it practical to host internal Java apps, JSP applications, servlet-based tools, and small to medium custom systems without needing a full enterprise application server setup.

Before you publish an internal Java app in the UK, check the application, the hosting environment, the access model, and the operational process. The following checklist covers the most important points.

Check whether the app really belongs online

Before you deploy, confirm that the app is ready to move from development or staging into a live environment. Internal apps often reach production too early because they are “only for staff”, but that does not reduce the need for basic controls.

Ask these questions first

  • Does the app handle real business data?
  • Will staff use it daily, or only occasionally?
  • Does it connect to finance, HR, customer, or operational systems?
  • Will multiple users access it at the same time?
  • Does it need audit trails or login history?

If the answer to any of these is yes, treat it like a real production service. Even an internal tool can expose sensitive data, create compliance risk, or interrupt operations if it fails.

Define the business owner

Every internal Java application should have a named business owner and a technical owner. The business owner decides who should use the app and what data it may show. The technical owner is responsible for deployment, service control, updates, and incident handling.

Without clear ownership, internal tools often become difficult to maintain, especially when a developer leaves or the original use case changes.

Review access control before launch

One of the most important checks for a UK internal app is access control. “Internal” does not mean “safe by default”. If the app is reachable from the internet, then you must assume it can be found by outsiders unless proper protection is in place.

Minimum access checks

  • Require authentication for all sensitive pages.
  • Use role-based access for different staff groups.
  • Remove test logins, shared accounts, and default passwords.
  • Confirm that administrative functions are separated from normal user functions.
  • Check that session timeout and logout work correctly.

Consider network-level restrictions

If your internal Java app is only for employees or trusted contractors, use network restrictions where possible. Common controls include IP allowlisting, VPN access, or extra HTTP authentication at the web server level. In a hosting control panel environment, this can often be layered with application login for added protection.

For administrative tools, it is often wise to restrict access more tightly than for everyday staff tools. The smaller the number of people who can reach the admin area, the lower the risk.

Check for insecure endpoints

Internal applications often expose hidden functionality during development, such as debugging pages, test APIs, file upload endpoints, or example services. Review the app for anything that should not be public. Search for:

  • debug or test URLs
  • verbose stack traces
  • admin endpoints without authentication
  • open file upload functions
  • hard-coded credentials in configuration files

Validate the Java runtime and Tomcat setup

If you are using My App Server for Java hosting, one of the main benefits is that you can manage your own Tomcat or private JVM from within Plesk. That flexibility is useful, but it also means you must verify the runtime settings before going live.

Confirm the Java version

Make sure the app is tested on the exact Java version it will use in production. A Java app that works on a developer laptop may behave differently on another JDK or on a specific Tomcat version.

Check for:

  • Java version compatibility with your framework
  • Tomcat version compatibility with your app
  • library conflicts caused by outdated dependencies
  • any features removed or changed in the chosen runtime

If your app uses older code, test carefully before upgrading the Java runtime. If it uses a modern framework, confirm that the container and JVM settings match the framework’s requirements.

Review memory and thread settings

Internal Java apps often fail because of resource settings rather than code bugs. Check the JVM memory allocation, Tomcat thread pool settings, and any application-specific cache sizes. On shared hosting, resources still need to be set realistically for the size of the app and its expected usage.

Typical checks include:

  • heap size is enough for normal load
  • max thread count is not too high for the account
  • GC pauses do not affect interactive users
  • logs show no signs of memory pressure during testing

Test the service control functions

Before launch, confirm that you can start, stop, and restart the Java service from the control panel. If your hosting platform includes service management in Plesk, verify that the service control behaves as expected and that you know who has permission to use it.

This is especially important for internal tools because a restart may be needed after configuration changes, deployment, or a memory issue. If the service cannot be controlled cleanly, support becomes much harder.

Check application security in detail

Security checks for internal Java apps should be practical and focused on common failure points. Many internal tools are built quickly and then forgotten, which makes them a frequent source of avoidable risk.

Review authentication and password handling

Confirm that passwords are stored using a strong one-way hashing method, not plain text or weak encryption. If your app supports single sign-on, make sure the integration is correct and that fallback local logins are tightly controlled.

Also check:

  • password reset flow
  • account lockout rules
  • multi-factor authentication if required by policy
  • password policy alignment with company standards

Check session and cookie security

For browser-based internal tools, session management matters just as much as login. Make sure cookies are marked appropriately, sessions expire correctly, and logged-out sessions cannot be reused.

Look for:

  • secure and HttpOnly cookie flags
  • session timeout after inactivity
  • session rotation after login
  • no sensitive data in URLs

Protect sensitive data in transit and at rest

Any internal app used in the UK should use HTTPS. Even if the app is not customer-facing, staff may access it from office networks, home connections, or mobile devices. Encrypted transport is essential.

Also check whether the app stores sensitive information in logs, temporary files, exports, or database backups. Internal tools often create spreadsheet exports or cached documents that are overlooked during security review.

Confirm the deployment process is repeatable

A common problem with custom Java apps is that the first deployment works, but the second one becomes manual and fragile. Before putting the app online, make sure the deployment process is documented and repeatable.

Deployment checklist

  • Build output is versioned and traceable.
  • Configuration is separated from code where possible.
  • Environment variables or config files are documented.
  • WAR, JSP, or supporting files deploy correctly to Tomcat.
  • Database migrations are tested in the same order every time.
  • Old files are cleaned up during deployment.

If you are using a control panel workflow, confirm where the application files live, how Tomcat reads them, and how updates are applied. The fewer manual steps, the easier it is to support the app later.

Keep staging close to production

Internal Java apps should be tested in an environment that closely matches production. That means the same Java version, similar Tomcat configuration, the same database type, and similar access rules. If staging and production differ too much, deployment surprises become likely.

Test integrations and external dependencies

Most internal apps do not run alone. They often rely on LDAP, SMTP, external APIs, CRM platforms, finance systems, file shares, or database services. Before launch, test every dependency end to end.

Check connectivity and fallback behaviour

  • Can the app connect to the database reliably?
  • Do API credentials work in the live environment?
  • What happens if SMTP fails?
  • Does the app handle timeouts gracefully?
  • Are error messages useful but not revealing?

If the app depends on a remote service, define what the user sees when that service is unavailable. Internal staff need clear messages, not broken pages or stack traces.

Review scheduled jobs and background tasks

Many Java apps include background jobs such as report generation, imports, cleanup tasks, or notification dispatch. Confirm the schedule, runtime, and logging for every background task before the app goes live.

Watch for overlapping jobs, duplicate execution, or tasks that continue running after a restart. These issues are especially common in servlet-based tools and custom Java applications running on Tomcat.

Check logs, monitoring, and alerting

Once an internal app is live, the first sign of trouble should not come from end users. You need enough visibility to notice issues early and diagnose them quickly.

Logging essentials

  • Application logs are enabled and readable.
  • Errors are written with enough detail to diagnose problems.
  • Logs do not expose passwords, tokens, or personal data.
  • Log rotation is in place to prevent disk growth.
  • Time stamps are clear and consistent.

If you are using a hosted control panel environment, confirm where logs are stored and who can access them. The support team and application owner should know how to find startup logs, error logs, and Tomcat-specific messages.

Set practical monitoring thresholds

You do not need complex enterprise monitoring for every internal app, but you should monitor the essentials: service uptime, error rate, disk usage, memory consumption, and backup success. For many small and medium Java applications, this is enough to catch most operational issues early.

Verify backup and rollback options

Before putting an internal Java app online, make sure you can recover quickly if a deployment fails or the latest version causes issues.

Backup what matters

  • application code or WAR file
  • configuration files
  • database backup
  • uploaded files and documents
  • scheduled job definitions, if stored separately

For hosted Java applications, a clear backup process is especially important because app code, database content, and JVM configuration may all need to be restored together.

Have a rollback plan

Your rollback plan should answer three questions:

  • What previous version can be restored?
  • How long will rollback take?
  • Who is allowed to trigger it?

Test rollback before launch if possible. A rollback that exists only on paper is not enough for a business tool used by staff every day.

Check browser compatibility and user experience

Internal apps are often used in different ways than public websites. Staff may open them from desktop browsers, older corporate laptops, or locked-down workstations. That means usability matters.

Confirm the app works in the browsers your team uses

  • test form behaviour
  • check file uploads and downloads
  • verify tables, filters, and date pickers
  • review mobile behaviour only if mobile access is expected
  • ensure error messages are understandable

Small usability problems can become expensive when the app is used dozens or hundreds of times a day by internal staff.

Review compliance and data handling for UK use

For a UK audience, internal Java apps often touch personal data, employee records, customer references, or operational data. You should confirm that data handling matches your organisation’s policies and any applicable legal obligations.

Practical compliance checks

  • Collect only the data the app really needs.
  • Limit access to staff who need the information.
  • Keep retention periods defined.
  • Make exports and reports controlled.
  • Document how data is deleted or archived.

If the app stores personal data, make sure the relevant teams understand where the data lives, who can access it, and how long it remains in the system.

Test before production cutover

Before you switch users to the live app, perform a controlled final test. This should include login, core workflows, reporting, file handling, and any background jobs that must run on schedule.

Go-live checklist

  • Confirm the correct Java and Tomcat version is active.
  • Validate HTTPS and certificate status.
  • Check all required environment variables and configs.
  • Run a smoke test of the main user journey.
  • Verify admin access and service control.
  • Check logs immediately after startup.
  • Confirm backups are current.

If your app is hosted with My App Server, this is also the point where you should confirm that the chosen Java service is running as expected inside the hosting account and that the deployment path is correct.

Common mistakes to avoid

  • Launching with default credentials still enabled.
  • Assuming “internal” means “no security required”.
  • Using a Java version that was never tested with the app.
  • Keeping debugging output turned on in production.
  • Not knowing how to restart the Tomcat service.
  • Storing configuration inside the codebase with no documentation.
  • Skipping rollback preparation because the app is small.
  • Forgetting to test logs, backups, and scheduled tasks.

When a hosted Tomcat setup is a good fit

For many internal tools, a controlled Tomcat hosting setup is a sensible choice. It is well suited to WAR deployments, JSP applications, servlet-based tools, and custom Java apps that need their own runtime without the overhead of a larger application platform.

A managed hosting environment with Plesk and My App Server can be especially useful when you want:

  • your own Tomcat instance or private JVM
  • easy service control from the panel
  • simple deployment of Java web apps
  • flexibility to choose from supported Java versions
  • separate runtime settings for a small or medium app

This model is practical for internal business tools, but it is still important to stay within the intended scope of the service and avoid designing the app as if it were a large clustered enterprise platform.

FAQ

Do internal Java apps need HTTPS if only staff can use them?

Yes. Staff tools should still use HTTPS, especially if they carry personal data, business records, or admin access. Encrypted transport should be standard even for internal use.

Should I use Tomcat or a full enterprise application server?

For many internal tools, Tomcat is enough. If your app is a WAR, JSP, or servlet-based application with moderate requirements, a private Tomcat or JVM is often the simplest practical option. Only move to a heavier platform if the app truly needs it.

What should I test first before going live?

Start with login, role access, core workflows, database connectivity, file uploads, background jobs, logging, and service restart. These are the areas most likely to cause production issues.

Can I host a custom Java app in a shared hosting account?

Yes, if the hosting platform supports Java hosting through a dedicated extension or service such as My App Server. This can work well for small to medium internal apps that need their own Tomcat or private JVM.

What if my app needs a Java version that is not listed by default?

Check whether your hosting platform allows manual upload and configuration of a custom version. If so, test it carefully before production use and make sure the app is compatible with that runtime.

How do I know whether the app is safe enough for staff use?

Review authentication, session handling, access control, logs, HTTPS, and data storage. If sensitive information is involved, also check retention, backup, and audit requirements.

Final checklist before you put the app online

Before launch, make sure you can answer yes to these points:

  • The app has a named owner.
  • Access control is tested and restrictive enough.
  • The Java and Tomcat versions are confirmed.
  • Memory and service settings have been reviewed.
  • Logs are enabled and usable.
  • Backups and rollback are ready.
  • Integrations and scheduled tasks have been tested.
  • HTTPS is active and working properly.
  • Deployment steps are documented.
  • The app has been smoke-tested in a staging-like environment.

Conclusion

Putting an internal Java app online is not just a deployment task. It is a small production release that should be checked for security, stability, access control, and support readiness. For UK businesses, that means making sure the app is fit for staff use, compliant with internal policies, and easy to maintain after launch.

If you are using a hosting platform with Plesk and My App Server, you have a practical way to run your own Tomcat or private JVM, manage service control, choose the Java version you need, and deploy a custom Java application with less operational overhead. The key is to verify the basics before go-live, not after users find the problem.

  • 0 Users Found This Useful
Was this answer helpful?