The Portlet specification also supports programmatic security using the isUserInRole
method in the same way as servlets.
The following is an example indicating that when the isUserInRole(role1)
is called within a Portlet TestPortlet
, it should return true
if the user who is accessing the Portlet is in the Employee role.
To configure a Portlet application to use declarative / programmatic security on the Portlet Container, the web descriptor must define a list of valid User Admin roles in the <role-name>
tag. This list of roles can include user and group roles. The above example uses the default User Admin role of Employee. The Portlet Container assumes that all User Admin users store their passwords as a credential with the key "password". If no valid users are created with User Admin then the Portlet Container will not let anyone access the Portlet application resources that have been secured.
Parent topic: Securing Portlet application resources