Servlet containers frequently run with a security manager, which creates a sandbox that prohibits the use of Runtime.exec, amongst other things. This is meant to protect web apps from one another, and the server as a whole from an errant or malicious web app.
If you have control over the server, check its startup scripts for security manager related settings (for Tomcat, the "-security" switch in the catalina.sh script).