The Apache software foundation reports:
The "WWW-Authenticate" header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate one. In some circumstances this can expose the local hostname or IP address of the machine running Tomcat.