Usually, that's a Bad Idea™. If you have to do it, only allow a few fixed static commands, allowing no user input.
If you have to accept user input be very restrictive about it, and check it for disallowed commands. Since any command will run with the ID of the web server, one malicious user can destroy the whole website, or even the system itself (it takes only one
"Bobby Tables").
Once you've checked everything, call Runtime.getruntime().exec()