Hi, first portlets are not bound to URLs so they cannot be secured via web.xml. The only thing done in relation with the servlet world is that the user authenticated against the portal servlet and when he access a portlet (in the local case) the request user principal and the roles are propagated to the portlet, so you can apply programmatic security in your portlet. Then the spec does not define anything else than that. In JBoss Portal portlets are secured via the concept of portlet instance. The main reason is that it gives more flexibility than securing a portlet, since securing a portlet is done at deployment time and an instance has a life cycle which is more dynamic. In the WSRP world, how security is done is unclear. I think that the ideal scenario is to have security propagation between the consumer and the producer using either a WS spec or the HTTP transport authentication (we have a JIRA task for that but not scoped at 2.6) In future releases we'll add security per consumer registration. So you will be able to expose a set of portlets to a particular consumer. Due to the non triviallity of this task we will make it for 3.0 probably. Actually we will need to visit the different use cases for security in the producer part. Beside that JBoss Portal has a flexible architecture so it is possible to add a portlet container interceptor to apply security before a portlet is reached. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4020870#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...