Is authentication mandatory when setting up a reverse proxy?
Solution 1:
I think there is no general guideline on that topic. I have set up multiple reverse proxies in different areas and sometimes used authentication and sometimes not, heavily depending on the actual use case.
From your question
My web application server which runs linux tomcat stack, has all the mandatory security and firewall infrastructure and can authenticate its own requests.
i would deduce that authentication in your proxy would not make a lot of sense when your server is already doing that. Including authentication in your reverse proxy makes sense when you want to create a secure connection between a client and otherwise unsecure server. When your server already is secure, i do not see any reason to add another layer of security.
I have never deployed a reverse proxy before and i was wondering if it is mandatory from a security perspective
It is definitely not mandatory. It is of course good practice to secure resources which would otherwise be totally open. So, of your server is already 'secure' and authenticating requests, i would not add another authentication instance.