We can see the content of script in the webapps tree : found here: NXROOT/bopcfg/../webapps.
For example, this file is visible without authentication: http://serverName:8080/AMS/scripts/create_user.sql
The fact is : We do not want not authenticated users see the content of any files in bopcfg/.../webapps.
We need authentication in tomcat to not allow any users to see the files in webapps.
The users of SD will be authenticated users in tomcat, any other users can't see tomcat's files.