The all-permissions security dialog will omit the "always trust" checkbox when the app is from multiple hosts, and the manifest of the main jar does not contain the appropriate Application Library Allowable Codebase attribute.
In the normal launching of a jnlp application with no href, the jnlp location is unknown, so we consider the app to be from multiple hosts (the host of the jar, and the "unknown" host of the jnlp file).
When we store the certificate in the permanent trust store for an app for which the "always trust" checkbox was checked by user, we include a string containing the locations of the jars and the jnlp file (or docbase for applets in the browser).
After discussion with the security team, it was agreed that if we store the hash of the "unknown location jnlp file" instead of it's location, we can restore the checkbox for this case.
This means that checking the checkbox will no longer mean (in this case) "Do not show this again for apps from the publisher and location above", but instead will mean:
"Do not show this again for this app from the publisher above.", and we should change the text show accordingly.
If the dialog is accepted with the checkbox checked we will not show the dialog again for the identical jnlp file (same app) when the certificates used to sign the main jar have not changed.
This will not effect a case where the jnlp file actually changes between runs.