Signed applet loads signed jar-files using URLClassLoader with security issue

Question

I have a signed applet. To implement some plugin architecture I download and store to disk a JAR file with specific classes.

Then I load these classes with URL

Answer 1

Install a custom security manager that allows code from the right code base (package, whatever..) to perform that action.

To do that, call System.setSecurityManager(myManager). (As you managed to figure) myManager is an extension of SecurityManager.

It requires a trusted applet to set a security manager.

Answer 2

Use an appropriate subclass of java.security.SecureClassLoader to assign an appropriate ProtectionDomain to the loaded classes. Of course, making sure that these classes are to be trusted by some mechanism (e.g. signed with a certificate you trust for such purposes).