Tomcat 9 on port 443 working with only root which can be hamful [duplicate]

After so many reading of serverfault.com articles I have successfully configured my tomcat 9 on port 443.

But problem is 443 is an privileged port in which i added root user in below tomcat.service but how i can avoid this as i want to give permission to tomcat user for just only one service. I hope you understand my issue and will advise the best answer.

vim /etc/systemd/system/tomcat.service


[Unit]
Description=Tomcat 9 servlet container
After=network.target

[Service]
Type=forking



############## I added root user here ##########################
**User=root
Group=root**

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

You can run Tomcat (or anything) as non-root and still bind to system ports if you have granted the CAP_NET_BIND_SERVICE capability set. You can do this in your systemd unit by adding AmbientCapabilities= in the [Service] section:

AmbientCapabilities=CAP_NET_BIND_SERVICE

Obviously you will also need to remove User= and Group=.

You should also consider using NoNewPrivileges=true to restrict the app from elevating its privileges.