we expect you respect the spec in return.
your role must be declared in portlet.xml in the security constraint section.
I have a similar problem. I'm developing a JSR 168 portlet so I just want to use standard libraries / methods.
I've tried to get the role of the user to no avail yet.
1) Via portlet.xml and userinfo won't work
2) Via request.isUserInRole("Editor") always false
2.1) If I add (to web.xml)
<display-name>Restrict access Edit / Admin JSP pages</display-name>
<web-resource-name>Restrict access to JSP pages</web-resource-name>
I get more of the same.
So I'm stuck. Any help getting the role list?