...
An applet can be granted the minimum set of privileges by leaving it unsigned, however, this is not possible if it is designed to perform privileged operations (ENV00-J. Do not sign code that performs only unprivileged operations). For applications, some additional steps may be required depending on the security policy. The default security policy file is quite restrictive in granting permissions. However, the flexible security model allows the user to grant additional permissions to applications by using a custom security policy. Several guidelines deal with granting or limiting permissions (for instance, ENV00-J. Do not sign code that performs only unprivileged operations, ENV03-J. Never grant AllPermission to untrusted code, ENV32ENV04-J. Do not grant ReflectPermission with target suppressAccessChecks and ENV33-J. Do not grant RuntimePermission with target createClassLoader).
...