You can read about how JBoss Portal handles security in the documentation: http://docs.jboss.com/jbportal/v2.6.3/referenceGuide/html/security.html
Security can be assigned in JBoss Portal specific configuration files (*-object.xml). As long as the file name used to configure security in Liferay does not conflict with the name used in the JBoss Portal, you can package both files in the portlet war file. When you deploy to Liferay, it should pick up its config files and ignore JBoss Portal's config file, and vice versa.
Thanks for the info.
What about at a finer-grained level, eg what categories in a forum a user can see, or what documents in an repository?
The JBoss Forums project is separate from the JBoss Portal, and I am not familiar enough with how JBoss Forums handles security to comment.
For CMS Portlet security, see the "CMS Interceptors" section in the documentation http://docs.jboss.com/jbportal/v2.6.3/referenceGuide/html/cmsPortlet.html
Also see http://docs.jboss.com/jbportal/v2.6.3/userGuide/html/admincmsPortlet.html#secure