I have investigated this, and the behavior seems as expected.
1.) If a jnlp file contains the <security>all-permissions</security> tag, all jars in it must be signed.
This is the same behavior in javaws 1.1 all the way to the present and is as specified in the JNLP specification.
2.) If you do this, you should get one of two possible error dialogs (depending if the code is in the same package). It sounds like in this case we have a bug which generates this NPE exception instead, and that is shown in the Error Dialog instead of the proper error.