first portlets are not bound to URLs so they cannot be secured via web.xml. The only thing done in relation with the servlet world is that the user authenticated against the portal servlet and when he access a portlet (in the local case) the request user principal and the roles are propagated to the portlet, so you can apply programmatic security in your portlet. Then the spec does not define anything else than that.
In JBoss Portal portlets are secured via the concept of portlet instance. The main reason is that it gives more flexibility than securing a portlet, since securing a portlet is done at deployment time and an instance has a life cycle which is more dynamic.
In the WSRP world, how security is done is unclear. I think that the ideal scenario is to have security propagation between the consumer and the producer using either a WS spec or the HTTP transport authentication (we have a JIRA task for that but not scoped at 2.6)
In future releases we'll add security per consumer registration. So you will be able to expose a set of portlets to a particular consumer. Due to the non triviallity of this task we will make it for 3.0 probably. Actually we will need to visit the different use cases for security in the producer part.
Beside that JBoss Portal has a flexible architecture so it is possible to add a portlet container interceptor to apply security before a portlet is reached.
just to summarize your answer and to verify if I understood you correctly
1) There is no role-based declarative security for portlets defined by portlet spec.
2) For local portlets in JBoss Portal it is solved by securing portlet instances.
3) For WSRP, JBoss Portal has no solution currently. Neither propagation
of a User id, nor role based access control is solved. If we need something
there, we should implement it ourselves.
Please find my answers inline:
>>>1) There is no role-based declarative security for portlets defined by portlet spec.
>>>2) For local portlets in JBoss Portal it is solved by securing portlet instances.
>>>3) For WSRP, JBoss Portal has no solution currently. Neither propagation of a User id, nor role based access control is solved. If we need something there, we should implement it ourselves.
can you restate above 3 points with respect to jboss portal 2.6.1.
have things changed ? Especially role-based declarative security for portlets ?
The question was about declarative security *from the spec*, the spec hasn't change.
Declarative security for portlet instance, and portal objects exist since the beginning in JBoss Portal.