We have tried many issue/bug tracking systems so far: scarab, mantis, bugzilla, trac, just to name a few. Personally I really like the last one with very nice wiki syntax, and a lot of plugins. Trac would be my issue tracker of choice for open source projects, however for the company like NCDC it is not sufficient. This is the reason why we bought JIRA.
JIRA deploys quite nicely in many different containers. Unfortunately not in standard debian's tomcat which has security manager turned on. We spent some time trying to figure out which permissions are required. I thought being very smart performing remote debugging of tomcat instance with JIRA deployed. I just set breakpoints in all the constructors of SecurityException. :)
Eventually I came across java.security.debug property. :)
There is appropriate issue on JIRA's JIRA :) I posted our established solution policy file in this ticket. I hope it will be covered by documentation one day.
I discovered another issue after messing with configuration a little bit more.