The JNLP security model is incompatible with the existing applet security model and prevents straightforward redeployment of existing applet content via JNLP. The JNLP security model states among other things that if the main JNLP does not request all permissions via the <security> tag, that JNLP can not pull in resources from multiple hosts. The existing applet security model is at this point very well defined: applets may pull in resources from any host, and permissions are granted based on both the origin of the code and the signing and trust status of that code.
In order to enable straightforward redeployment of existing applet content, it is necessary to remove some of the restrictions artificially imposed by the JNLP specification in the support for JNLP-based applets.