Question background:(1). JSR 168 specifications does not define any particular security implementation. We can get the authenticated user and its role to control security when we design a portlet. That means each portlet defines its own security mechanism.
(2). In JBoss Portal Reference Giude, we were told securing jboss portlet with jboss-portlet.xml. We can configure permissions and assign roles. Then we can use hasPermission(String permission) method of JBossRenderRequest or JBossActionRequest to check user accessing.
(3).At the same time, in jBoss portal, there is a permission portlet, in JBoss portal user gudie, we were told we can use this permissionPortlet to manage permissions for portlets.

Questions:
1. What's the differences between Jboss-portlet.xml and permissionPortlet securing mechanism? Are there any references?