Chapter 10. Security

Roy Russo

10.1. Securing Portal Objects

This section describes how to secure portal objects (portal instances, pages, and portlet instances), using the JBoss Portal *-object.xml descriptor OR portlet-instances.xml descriptor. View the User Guide for information on how to secure objects using the Management Portlet.

Securing portal objects declaratively, is done through the *-object.xml ( Section 6.1.1, “*-object.xml” ), for Portal Instances and Pages, or the portlet-instances.xml ( Section 6.1.2, “portlet-instances.xml” ) for Portlet Instances. The portion you will be adding to each object is denoted by the <security-constraint> tag:

<?xml version="1.0" encoding="UTF-8"?>

A security constraint on an object (our example above, secures a specific portal page), is explained as:


The security contraint portion is worth taking a look at, in an isolated fashion. It allows you to secure a specific window/page/portal-instance based on a user's role.

Role definition: You must define a role that this security constraint will apply to. Possible values are:

  • <unchecked/> Anyone can view this page.
  • <role-name>SOMEROLE</role-name> Access to this page is limited to the defined role.

Access Rights: You must define the access rights given to the role defined. Possible values are:

  • view Users can view the page.
  • viewrecursive Users can view the page and child pages.
  • personalize Users are able to view AND personalize the page.
  • personalizerecursive Users are able to view AND personalize the page AND its child pages.

We provide three live samples of this descriptor, here Section 6.1.2, “portlet-instances.xml” , Section 6.3.1, “Defining a new portal page” ,and Section 6.3.2, “Defining a new portal instance”