I don't know about other containers, but any security restrictions on
servlets and
JSP in
Tomcat are those imposed by the administrator of the system through
Java's "fine grained" SecurityManager policy definition capabilities. I just went through this when getting a servlet to talk to a JavaSpaces server.
If you start Tomcat with the -security command line parameter, a SecurityManager is created using the ../conf/catalina.policy file. There is nothing unique to Tomcat here - just plain Java security. If you don't specify -security, no SecurityManger is created and code can do anything it wants.
Bill