JSR 168 specifications does not define any particular security implementation even though you can get the authenticated user and its role.

In JBoss portal, each portlet defines its own security model, and the portal gives an easy way to check if a user has a permission.

To define your security model, you need to edit the file WEB-INF/jboss-portlet.xml. First you need to define all kind of permissions you want, and how those permissions are related one to the other.

Let's take a small example, in your portlet you want to define two different permissions, read and write. Here is an example of security model:

<security>
   <model>
      <permission-description>
         <permission-name>write</permission-name>
         <description>Writing permission</description>
      </permission-description>
      <permission-description>
         <permission-name>read</permission-name>
         <description>Reading permission</description>
      </permission-description>
   </model>
</security>

This would be sufficient but if a user can write usually he can read as well. With the current model, we would need to add the role to both permission. There is another way, we could just specify that the write permission implies the read permission. To do so we just need to write:

<security>
   <model>
      <permission-description>
         <permission-name>write</permission-name>
         <description>Writing permission</description>
         <implies>read</implies>
      </permission-description>
      <permission-description>
         <permission-name>read</permission-name>
         <description>Reading permission</description>
      </permission-description>
   </model>
</security>

A permission can imply any number of permissions, just make sure you are not doing cycles (when a permission implies another that implies the first)

Once you defined what kind of permissions you want, you need to attribute roles to them, to do so you need to add a scheme to the model:

<security>
   <model>
      <permission-description>
         <permission-name>write</permission-name>
         <description>Writing permission</description>
         <implies>read</implies>
      </permission-description>
      <permission-description>
         <permission-name>read</permission-name>
         <description>Reading permission</description>
      </permission-description>
   </model>
   <scheme>
      <domain></domain>
      <item>
         <path>/</path>
         <permission>
            <permission-name>read</permission-name>
            <role-name>Users</role-name>
         </permission>
         <!-- For non logged users -->
         <permission>
            <permission-name>read</permission-name>
            <role-name></role-name>
         </permission>
         <permission>
            <permission-name>write</permission-name>
            <role-name>Admins</role-name>
         </permission>
      </item>
   </scheme>
</security>

Here we add the read permission to the Users role and anonymous users then the write permission to the Admins role. The path defines a scope on which the permissions will be defined. This will have different meanings for different portlets. For example the forums portlet uses a path to specify on which category or forum you want to apply the permissions (/mycategory/myforum for example)

You can check a permission on a JBossRenderRequest or a JBossActionRequest using any of the hasPermission methods (see the API).

In our simple example, req.hasPermission("write") will check if the user accessing the website has the write privilege.