All aboard the java fail boat
“You might be putting the pieces together already:
1. Oracle says that all Java applets should be signed.
2. Signed Java applets run outside of the Java sandbox.
3. Some Java applets have vulnerabilities.
It all goes back to an architectural weakness that has been present in Java since the concept of a signed applet was introduced. Java conflates authentication with authorization. When you sign an applet, it gets privileges automatically” https://www.cert.org/blogs/certcc/2013/04/dont_sign_that_applet.html