I have had a brief search in StackOverflow, it seems that for a webstart application, if some of the JARs are signed and other are unsigned, it will end up treated as unsigned if unsigned code are accessed in call stack.
However, what if I only put resources (e.g. config files) in an unsigned JAR? (In fact I have some environment-dependent configs that I want to centralize in a separate JAR). If all other JARs containing "code" are signed, will it runs fine as signed application?
Unsigned Jars can be put in a sand-boxed extension and used by an app. that requests j2ee-application-client-permissions or all-permissions.
To avoid the mixed code warning that this produces, see Deploying Signed Applications and Applets Securely Without a Mixed Code Warning.