Using JSR Roles in a Portlet

Roles in Liferay DXP are the primary means for granting or restricting access to content. If you’ve decided not to use Liferay’s permissions system, you can use the basic system offered by the JSR 168, 286, and 362 specifications that map Roles in a portlet to Roles provided by the portal.

JSR Portlet Security

The portlet specification defines a means to specify Roles used by portlets in their docroot/WEB-INF/portlet.xml descriptors. The Role names themselves, however, are not standardized. When these portlets run in Liferay DXP, the Role names defined in the portlet must be mapped to Roles that exist in the Portal.

For example, consider a Guestbook project that contains two portlets: The Guestbook portlet and the Guestbook Admin portlet. The WAR version of the Guestbook project’s portlet.xml file references the administrator, guest, power-user, and user Roles:

<?xml version="1.0"?>

<portlet-app xmlns="" xmlns:xsi="" xsi:schemaLocation="" version="3.0">

An OSGi-based guestbook-web module project defines Roles without an XML file, in the portlet class’s @Component annotation:

	immediate = true,
	property = {
		"" + GuestbookPortletKeys.Guestbook,
	service = Portlet.class

If you are using an OSGi-based MVC Portlet, you must use Liferay’s permissions system, as the only way to map JSR-362 Roles to Liferay Roles is to place them in the Liferay WAR file’s portlet.xml.

Your portlet.xml Roles must be mapped to specific Roles that have been created. These mappings allow Liferay DXP to resolve conflicts between Roles with the same name that are from different portlets (e.g. portlets from different developers).

Mapping Portlet Roles to Portal Roles

To map the Roles to Liferay DXP, you must use the docroot/WEB-INF/liferay-portlet.xml Liferay-specific configuration file. For an example, see the mapping defined in the Guestbook project’s liferay-portlet.xml file.

    <role-link>Power User</role-link>

If a portlet definition references the Role power-user, that portlet is mapped to the Liferay Role called Power User that’s already in Liferay’s database.

As stated above, there is no standardization with portal Role names. If you deploy a portlet with Role names different from the above default Liferay names, you must add the names to the system.roles property in your file:


This prevents Roles from being created accidentally.

Once Roles are mapped to the portal, you can use methods as defined in the portlet specification:

  • getRemoteUser()
  • isUserInRole()
  • getUserPrincipal()

For example, you can use the following code to check if the current User has the power-user Role:

if (renderRequest.isUserInRole("power-user")) {
    // ...

By default, Liferay doesn’t use the isUserInRole() method in any built-in portlets. Liferay uses its own permission system directly to achieve more fine-grained security. If you don’t intend on deploying your portlets to other portal servers, we recommend using Liferay’s permission system, because it offers a much more robust way of tailoring your application’s permissions.

Liferay Permissions

Asset Framework


Understanding ServiceContext

« Checking PermissionsAuthentication Pipelines »
Was this article helpful?
0 out of 0 found this helpful