Viewpoint provides an enhanced security architecture, known as VISA (Viewpoint Information Security Architecture), that allows an individual portlet to specify its own security domain model and still plug-in to the overall security system to take advantage of common services. The key features of VISA include:

  • Multiple declarative security domain models
  • Fine-grained role-based authorization engine
  • Internal datastore and external (LDAP) authentication of users
  • External user auto-provisioning
  • Java API and JSP tag library
  • Web-based administration console

VISA can be viewed as two over-arching functional concerns:

  • Identity: Is the user who they say they are? Identity is established through an authentication process.
  • Policy: What rights does a user have to access a particular entity? Policy is set by an administrator, and is evaluated at runtime through a process of authorization.


Authentication is the process by which a user's identity is established. VISA currently supports a username/password authentication scheme, where the user's credentials can be stored locally (internally authenticated) or in LDAP (externally authenticated). VISA can also be configured to support user auto-provisioning, wherein a first-time user is provisioned with an account if LDAP authentication is successful.

Role Membership is specified by the Administrator, via the Role Manager portlet. An authenticated user is in one or more roles; every authenticated user belongs to the base User role. Role membership can be set programmatically, but is more typically set by the Administrator using the User Manager and Role Manager portlets.


Domain model: VISA is built around the concept of a pluggable domain model, wherein a portlet or application can declare one or more domain instances, each with a customized permission set; dynamically register resources for that domain; and set security policy on each registered resource. Typically a VISA domain model is specified via XML.

Authorization: is the process of determining if a user, in a given role, is granted a specific permission (to perform an action) on a resource belonging to some domain. This fine grained verdict engine is exposed to the developer via a JSP Tag Library and a Java API. Policy is typically set by the Administrator using the Role Manager portlet, but can also be set programmatically.


Since there is no industry standard on security terminology. this document largely adheres to the terminology of JAAS.

ma255063 2 comments Joined 11/13
06 Nov 2013

Why do we need to implement security on portlet separately, as we know that portlets are the part of portal, and only those people can access/login into portal that have account?? 

You must sign in to leave a comment.