My java webstart runs in sandbox, it doesn't access local files, arbitrary network files, sound recorders, camera, it only needs limited functionalities such as computation, mouse events, etc. But still, when the user click the jnlp file, a window pops up asking whether the user wanted to run this application without signature, and says there is risk.
I thougt if my java web start is in sandbox, there is no need to remind the user that there is risk? My jnlp file has no tags so I didn't ask for all permissions.
Even a signed application in a restricted environment can exploit bugs; the warning should not be defeated. Instead, embrace the security features discussed in Security and Code Signing. In particular,
Don't request unnecessary permissions.
Do sign your JAR; even a self-signed certificate can detect tampering.