Authentication and authorization

Portofino knows the users, their roles, and makes sure all the application's pages and functions are protected according to the rules that you define.

Page permissions

With permissions you decide the roles and responsibilities within your application. Set the access level (view, edit, develop or deny) for each page.

To make life easier, the rules you set for a page can be applied to all the pages underneath. This is called permission inheritance. Alternatively you can have a page with its own set of rules for maximum flexibility.

A handy "Test a user" feature allows you to check what a certain user (e.g., anonymous) can do on a page.

Operation permissions

Any page can declare the operations it support (e.g., CRUD supports create, edit, delete) and you can decide which groups can perform which operations.

Apache Shiro integration

Portofino integrates Apache Shiro, a powerful, flexible security framework that provides a simple API and many useful integrations.

LDAP, Active Directory, OpenID

Authenticate using the technology of your choice. Also use the rules of your choice. For example:

  • first try to authenticate on the corporate LDAP
  • if it fails, try to authenticate on the department LDAP
  • if it fails, try to authenticate on the application's own user database.

Any combination of technology and rules is possible.


Portofino provides a number of Java annotations to specify permissions and guards declaratively.

Protect your page actions with just a few lines of code and let Portofino do the hard work of enforcing security.