Please find my answers inline:
1) There is no role-based declarative security for portlets defined by
portlet spec.
Yes
2) For local portlets in JBoss Portal it is solved by securing portlet
instances.
Yes
3) For WSRP, JBoss Portal has no solution currently. Neither propagation of
a User
Basically that parameter has to be set in the PortletRequest and not in the
HttpRequest. See menu.jsp fragment below:
a id=logout href=
| portlet:actionURL windowState=normal
| portlet:param name=op value=userLogout/
| portlet:param name=locationURL value=/portal/portal/default/default/
SecurityStore
==
Will no longer hold the keystore and truststore, rather will hold a reference
to a JaasSecurityDomain Object. This will be used to lookup the security
configuration and also to encode/decode.
Since we want to make this keystore configuration available from