I was unable to reproduce the issue, I've used 2.7.2 budled version, but permissions work fine with both html and pdf. Can you please post the exact steps on how to reproduce the error?
Have you tried with non CMS super user? It works fine with CMS super user. Also it works with anonymous ot user permission. It does not work only with role permission. I already found the solution and I will post it.
I found that user is saved in session, but not the roles. Therefore, I changed the viewfile.jsp and pending_items.jsp so that roles are saved in the session.
I also changed the CMSPreviewServlet so that it retrieves the roles from the session and put it in JCRCMS object. Now it is working fine. The changed codes are as follows.
Following are added to the jsp's.
Set roles = new HashSet();
// Get the current authenticated subject through the JACC contract
Subject subject = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container");
if (subject != null)
Set tmp = subject.getPrincipals(JACCPortalPrincipal.class);
JACCPortalPrincipal pp = null;
for (Iterator k = tmp.iterator(); k.hasNext();)
pp = (JACCPortalPrincipal) k.next();
if (pp != null)
if (pp == null)
pp = new JACCPortalPrincipal(subject);
// Lazy create all the permission containers for the given role names
for (Iterator k = pp.getRoles().iterator(); k.hasNext();)
Principal role = (Principal) k.next();
Following were added to CMSPreviewServlet
Set roles = (Set)request.getSession().getAttribute("remoteRoles");