I recently wrote a portlet for liferay using spring mvc. I was told recently that my security is not quite correct, however. I was having the admins configure who could add the portlet through the configuration menu, but that doesn't prevent someone from adding a portlet to the public page of a community and possibly leaking privileged information.
in my portlet.xml i have the following entry
and in my liferay-portlet.xml
The role mapper contains two fields, the role-link, which is the Liferay role, and the role-name, which is what maps to the portlet.xml security-role-ref mapping. Now, the way I understand it, anyone with the Liferay Role "HR Employee" should be able to see the portlet, however, anyone who does not have that role should see an error message about the lack of sufficient roles (or possibly a "portlet has been undeployed" message depending on the settings for Liferay). Do I need to add a security-role mapping to the web.xml similar to this that I just found on an old
jboss page(
http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html)?