That's correct. The server-side code can be a servlet, a JSP, a CGI program, Windows ISAPI DLL code,
SOAP services, or whatever kind of code you prefer. As long as you can send down your request and get a response via HTTP it really doesn't matter how the server does it.
I'm focusing on HTTP tunneling here because it's probably the most common technique, since the protocols are well understood and the problems due to sandbox rules and firewalls is minimized. Although I should note that an unsigned applet can
only talk to the server it was downloaded from!
The best way to do HTTP tunneling is to use the java.net.HttpURLConnection class. This allows you to easily set up the request and recieve its response plus it also automagically handles the support services such as cookies - which are often used to maintain secure sessions with the server. HttpURLConnection will send and recieve the cookies for your browser without you even having to write code or set up special options.
The format of the data you request and of the response is up to you. You can use GET or POST and transmit data as simple lines of text, XML or in whatever form you like. I recommend text forms over binary, partly because it's easier to
test, partly because most of the good reasons for using binary (compression, security, etc.) are now part of basic support services, and partly because it's simply easier to diagnose problems when you don't have to pick bits apart.
One thing I
don't recommend is use of the Java serialization services - people get burned when the server is using a different version JVM on the server than on the client. The Java serialized data format has been known to change.