The best approach is to define JDBC datastore in tomcat and then look it up in your web application. Following samples are shamelessly copied from tomcat documentation. This way you do not have any passwords in your applicaion. The configuration is done by tomcat administrator, not by web application developer.
Context:
<Resource name="jdbc/TestDB" auth="Container" type="javax.sql.DataSource"
maxActive="100" maxIdle="30" maxWait="10000"
username="javauser" password="javadude"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/javatest"/>
web.xml
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/TestDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
test.jsp
<sql:query var="rs" dataSource="jdbc/TestDB">
select id, foo, bar from testdata
</sql:query>
servlet
Context initContext = new InitialContext();
Context envContext = (Context)initContext.lookup("java:/comp/env");
DataSource ds = (DataSource)envContext.lookup("jdbc/TestDB");
Connection conn = ds.getConnection();
Regarding your security requirements: this is harder, because the password is plaintext there as well. You can limit access rights so only web container can read it. Encrypting password will not work with symmetrical ciphers because attacker can get them as well. And asymmetrical ciphers - he can get decode key too. So you must set up the environment that attacker will not see content of the configuration files. If he is root, everything is lost anyway.