I've googled lots of links like oracle and velocity review and stackoverlow too, but still no success.

The point is simple. Jar is signed using:

keytool -genkey -alias signFiles -keystore compstore -keypass bca321 -dname "cn=test" -storepass abc123
jarsigner -keystore compstore -storepass abc123 -keypass bca321 -signedjar SignedJar.jar UnsignedJar.jar signFiles

And it runs perfectly on local machine. But when SignedJar.jar is used like an applet via HTTP(S), even if user accepts certificate (IE or FF or Chrome - no difference), it stops working with:

java.security.AccessControlException: access denied (javax.smartcardio.CardPermission Broadcom Corp Contacted SmartCard 0 connect)
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at sun.security.smartcardio.TerminalImpl.connect(Unknown Source)

Yes, it tries to read from smartcard inserted in terminal, and gets an exception on calling connect.

Yes, I've tried this approach too:

AccessController.doPrivileged(new PrivilegedAction() {
...

But with no luck. So where is the catch?

Thanks in advance, Kirill

I ran into this problem today, java 1.7.0_11, applet jars signed with self-signed certificate added to the list of trusted certificates. It went away when I removed the section in my policy file that granted my applet's codebase all permissions.

After creating public/private keys, creating the associate certificate and signing which one of your applet jars with the certificate you should create a hash for each file in the JAR and sign them with the private key. These hashes, the public key, and the certificate must be added to the META-INF directory of the JAR file alongside the JAR’s manifest.

Here is the command line:

$ jar -tf SignedApplet.jar

See link