Packaging a Java web application: Reuse tomcat6 or separate process?

That should be the choice of the sysadmin. Just package the app in order to just run out-of-the box. If the sysadmin wants increased security that is his work :)

Rather than modify an existing tomcat/webapp installation, you could provide (1) stand-alone package that runs with an embedded web server, and (2) provide a simple ".war" file that people can download and install into their own tomcat (or jetty or glassfish or...) server. (If you have a versino that's a stand-alone server, then it's trivial to also provide the war as a separate download.)

As for upgrades, the stand-alone version can upgrade with your package manager (apt,rpm,yum,etc); but, if people install the war into tomcat, it would be up to the person who installed it to upgrade it manually, or you can provide a updater inside the web application. For a really nice example of this, see jenkins (formerly hudson). Sonatype/nexus also has separate installation options.

The general guidance to give to end-users is: for the quick & easy personal PC installation, go with the stand-alone version. For a mature data center and long-term ease of management, go with the ".war" in an existing app server.

The problem with a package manager modifying an existing tomcat installation is that there may be ump-teen webapps inside that tomcat, and usually there's a unexpectedly tight dependency between a version of tomcat & the versions of the webapps. It's best to upgrade tomcat first, test to see if all the webapps still work, then upgrade the webapps one by one. (Or, perhaps I'm just being paranoid, since that's the only method that has worked for me, historically.)