liferay 5.2.3 portlet security

I recently wrote a portlet for liferay using spring mvc. I was told recently that my security is not quite correct, however. I was having the admins configure who could add the portlet through the configuration menu, but that doesn't prevent someone from adding a portlet to the public page of a community and possibly leaking privileged information.

in my portlet.xml i have the following entry
<portlet-app> <portlet> <portlet-name>hr-app</portlet-name> <!-- other stuff goes here --> <security-role-ref> <role-name>HR_Employee</role-name> </security-role-ref> </portlet> </portlet-app>
and in my liferay-portlet.xml
<liferay-portlet-app> <portlet> <portlet-name>hr-app</portlet-name> <!-- other stuff goes here --> </portlet> <role-mapper> <role-name>HR_Employee</role-name> <role-link>HR Employee</role-link> </role-mapper> </liferay-portlet-app>

The role mapper contains two fields, the role-link, which is the Liferay role, and the role-name, which is what maps to the portlet.xml security-role-ref mapping. Now, the way I understand it, anyone with the Liferay Role "HR Employee" should be able to see the portlet, however, anyone who does not have that role should see an error message about the lack of sufficient roles (or possibly a "portlet has been undeployed" message depending on the settings for Liferay). Do I need to add a security-role mapping to the web.xml similar to this that I just found on an old jboss page(http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html)?
<web-app> <security-role> <description>The single application role</description> <role-name>TheApplicationRole</role-name> </security-role> </web-app>

>"the way I understand it..."
No, you understanding is not right. For JavaEE security roles to have any effect, your portlet must check and enforce them.
This should be helpful overview of the JSR-286 (JSR-168) security system and Liferay's own permission system
http://www.liferay.com/documentation/liferay-portal/6.0/development/-/ai/security-and-permissions
In particular, if you want to control "who could add the portlet through the configuration menu", see permissions for <portlet-resources>.

Thanks, I guess I should have updated my thread a year ago or so when I finally came to that answer.

In the case of anyone else who comes along via google, I believe the following is what's needed to prevent guests from seeing the portlet. Please correct me if I'm wrong. This needs to be in a file under WEB-INF/classes/resource-actions if I recall correctly.

<portlet-resource> <portlet-name>blah</portlet-name> <supports> <action-key>VIEW</action-key> <action-key>CONFIGURATION</action-key> <action-key>PREFERENCES</action-key> </supports> <community-defaults> </community-defaults> <guest-defaults> </guest-defaults> <gust-unsupported> <action-key>VIEW</action-key> <action-key>CONFIGURATION</action-key> <action-key>PREFERENCES</action-key> </guest-unsupported> </portlet-resource>