Indeed, the portlet spec does not cover that.
And btw this is the same reason that AJAX has security holes in a portal.
One thing you can try is :
1/ put a token in the http session
2/ put a servlet filter in your war files that checks if the token is present or not in order to grant access to the resources
Thanks Julien for your quick reply, i'll tyr to do what you said and i'll tell you my results.
Thanks again, Paolo.