I have a Webstart app deployed locally on a Tomcat server. It's signed
using keytool/jarsigner with the 1.4.2_06 JDK and my own generated
certificate, and only one JAR file is used containing two classes - no
3rd party JARs or anything like that. It's a simple Swing application
which creates a Preferences object like so:

Preferences prefs =
java.util.prefs.Preferences.userNodeForPackage(TicTacToe.class);

I access the code like this:

http://192.168.1.100:8080/Test/Test.jnlp

When the app runs, I don't get the Security warning dialog which I
expect for a signed JAR. The app runs automatically and I see this
exception in the console:

Exception in thread "AWT-EventQueue-0"
java.security.AccessControlException: access denied
(java.lang.RuntimePermission preferences)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.util.prefs.Preferences.userRoot(Unknown Source)
at java.util.prefs.Preferences.userNodeForPackage(Unknown Source)

My JNLP file seems correct and has the

<security>
<all-permissions/>
</security>

block to grant all permissions.

What could be going wrong here? From what I've read, a self-signed cert
should work, and should show a Security dialog warning not to run the
application. I'm running with Java Web Start 1.5.0_02.

I'd appreciate any ideas!