The Java Runtime Environment can be run using a Security Manager if you want to restrict certain access to certain part of the application (depending on the code that is running and on the authentication status).
This can be enabled in Apache Tomcat or in JBoss for example.
The policy and permissions system is a complex topic, and is documented here.
Admittedly, the system isn't perfect since of the vulnerabilities you refer to about applets occur when the applet "escapes" its security manager. This can happen if there's a bug in the security manager itself (obviously a problem) or if the policy is too loose.
In that respect, a server environment differs from an applet environment in that the applet environment is installed with a one-size-fits-all policy: something aiming to be good enough to restrict bad behaviour while enabling most features, without knowing what code is going to be run nor in which exact environment. A server environment is less vulnerable in that respect, since you may be able to customise your policy to address your specific needs (e.g. allow connections to your specific database server but no other outgoing connections).
Security managers tend not to be enabled by default in webapp containers, but if you need to, you can configure the policies as necessary.