It works. But it gives me a strange feeling w.r.t security. Since webstart/jnlp is extremely carefull w.r.t allowing webstart based programs in accessing any file natively and forces developers to use the specific JNLP api, I am wondering on the safety repurcissions of the approach shown above.
I don't think that would be possible without using <jnlp><security><all-permission> and signing your app and user clicking OK to allow the application the priviledges.
Anyway, if this is really so you better file a bug with Oracle with all necessary details.