For some administrative portlets it is required to enforce security constraints on portlet definition level, e.g. restrict (all) usage for certain admin portlets to users having admin only.
By default, Jetspeed only enforces portlet level security constraints (see: http://portals.apache.org/jetspeed-2/deployguide/guide-registry.html, section jetspeed-portlet.xml) while adding new portlet instances to a page/fragment.
Once a portlet has been instantiated, only the page/fragment security constraints are enforced.
This default behavior can be changed globally, but has rather a high impact as potentially the expected behavior of existing portlet instances might thereby change.
As an light-weight alternative, I will add support for an additonal, portlet level meta data configuration through jetspeed-portlet.xml which allows turning this behavior on for individual portlets only.
By adding a <js:metadata name="render-time.security-constraints">true</js:metadata> tag to a portlet configuration in jetspeed-portlet.xml, the security constraints for that portlet will be enforced at render time.