What is the correct way of running Tomcat under a different user (Centos 7)?

According systemd documentation you should create directory /lib/systemd/system/tomcat.service.d and put there file with .conf extension, then add to that file required changes for User and Group:

[Service]
User=webapp
Group=webapp

After this your changes to service would be permanent, because they stored in separate location, which not change after update. That solution was created for cases like you, when you want to change service parameters in .service file, but after each update it rewrites with new file.

The file /lib/systemd/system/tomcat.service should not be changed. If you need to overwrite them, just copy the file to /etc/systemd/system/tomcat.service, and edit the /etc/systemd/system/tomcat.service file.

After you change the file, ask systemd to reload the config:

systemctl daemon-reload

Change the permissions so that the user has access to tomcat files (chown, chmod, setfacl) Then restart the service: systemctl restart tomcat

Edit: You can have a different $CATALINA_BASE pointing to a subfolder in /opt where your application is located. $CATALINA_HOME will point to where tomcat is installed by rpm. In this way when you upgrade tomcat package all instances of tomcat will get upgraded. Search for "Advanced Configuration - Multiple Tomcat Instances" in https://tomcat.apache.org/tomcat-7.0-doc/RUNNING.txt If you use this setup, $CATALINA_HOME should be owned by root with no write permission for tomcat or any other user, and $CATALINA_BASE should be owned by your application user (e.g tomcat-myapp)