J2EE and security constraints

The Script Portlet Authors role is used to control access to the editor and import features. This role allows authorized and trusted users to create, edit, and upload active content such as HTML, JavaScript, and CSS. This content is stored in IBM® Web Content Manager and used to render the user interface of a portlet that is built with the Script Portlet technology. The content, imported or from user input, is not validated, inspected, or scanned in any way. Therefore, users you place into the Script Portlet Authors role can store arbitrary content on your server and use it to create portlets. Because of this ability, you must be especially careful to put trusted users in this role.

By default, the Script Portlet maps the Script Portlet Authors role to the wpsadmins group in Portal. This default ensures that only users with administration-level access and trust can access the editor and import features. If your Portal environment does not contain the standard wpsadmins group, then the editor and import features are not accessible to any users. However, you can easily modify this mapping to use whatever Portal group is appropriate in your environment.

The second role that is defined by the Script Portlet is named Script Portlet Users. This role is used to control view access to the portlets implemented with the Script Portlet technology. The Script Portlet Users role is mapped to the Portal Everyone special subject by default. If a user has view access to Web Content Manager portlets, then they have view access to portlets implemented by using the Script Portlet.