When pen testing web sites that use applets to enforce business rules, it's a good idea to decompile the applet and poke around it. Here are some of the things we've come across that helped us test the application better:
Hard coded secrets, passwords, symmetric keys and once even an embedded private key
Weak "custom encryption" logic that could be reverse engineered easily
Inadequate input validation logic and the boundary conditions being tested for
A structured listing of business rules that helped us refine our Threat model
The "secret handshake" used for authenticating the applet to the servlet
This isn't rocket science. All it takes is a Java decompiler and a few hours of analysis. We use DJ Decompiler, it's a graphical interface built over the JAD decompiler for Java.