This applies to a Tomcat 5.5 installation running on a Ubuntu 8.04 server (and, all Ubuntu versions I know).
If you write a servlet that needs to read a file which is in the servlet's WEB-INF directory, for instance, a config.xml, Tomcat, or more precisely, the Java Security Manager will not let you.
(Interestingly, Tomcat that comes with CentOS, will do. Hmm.)
What I did is turning off the security manager in the /etc/init.d/tomcat5.5 file.
Task for the rest of the week: find out how to enable the required thing without turning off the Security Manager.