by the way, you have an example of downloading a file in the CMSAdmin portlet. It is for downloading an export of the CMS. may be things there. The HttpSession, which is seen by the servlet, is not the same as the portletSession that is used by the portlet. what you can do is set the principal from the portlet, into the HttpSession, before to show the link, and then get it in the servlet. (with an attribute of the session). Search in the forum post for HttpSession and httpservletrequest. I have posted code to get those from the portlet. This is not a nice way. A clean way is to get the Principal from the security domain of the portal. you can see an example of this done in the JbossIntegrationFilter filter that is provided with Acegi. It does something similar. Just to adapt in your servlet. See the code at : http://acegisecurity.org/multiproject/acegi-security-jboss/xref/org/acegi... or download the Acegi Security source to get the java file. You may also use a security constraint in the web.xml to let the user access to the servlet only if he is authenticated. look at the CMSAdmin portlet, to see how the servlet is setup, and add some security constraint (related to the corresponding prefix in the url...). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4037125#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...