Signed applet w/ signed JNLP template produces java.lang.SecurityException

Question

I'm signing the JNLP file used by my RIA, in preparation for the coming tighter security restrictions in 7u51, due in January. The webstart version is working great, but I've run into a problem where the applet version fails to launch with the following exception.

Google has apparently never heard of this exception. :(

java.lang.SecurityException: JAR should not contain JNLP-INF/APPLICATION_TEMPLATE.JNLP
        at sun.plugin2.applet.Applet2ClassLoader.getPermissions(Unknown Source)
        at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:206)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
        at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)
        at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
        at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
        at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
        at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
        at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
        at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
        at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
        at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
        at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:744)

Answer 1

The problem was that the applet was not being deployed as a JNLP applet. A security fix was introduced in 7u25 that was intended to prevent the re-purposing of a JNLP applet via the legacy <applet/> tag deployment mechanism. This exception indicates that that security fix has been tripped.

The work-around is either to always deploy your applets as JNLP applets, or to use a different variant of the JAR file that does not contain a JNLP-INF directory.

Note that you may also see this variant if you're signing the JNLP itself rather than a template:

java.lang.SecurityException: JAR should not contain JNLP-INF/APPLICATION.JNLP