Portlet Business Rules

CMS has established the following common Portlet (P) business rules for governing the Agency’s portlet environments. These rules apply to CMS.gov and all CMS sub-sites.

Portlet Life Cycle

BR-P-1: Each Portlet Must Include a Deployment Descriptor as Specified in JSR 286

BR-P-2: Each Portlet Must Implement Specific Portlet Life-Cycle Management Functions as Specified in JSR 286

BR-P-3: Each Portlet Must Log Events via Portlet Container Logging Functions

Portlet Personalization

BR-P-4: If Functionality to Customize / Personalize the Portlet User Interface Is Provided, It Must Be Consistent with JSR 286

Portlet Security

BR-P-5: Each Portlet Must Control Access to Content / Functionality Based on User and Role Information via the Portal

BR-P-6: Each Portlet Must Use Portal Services to Authenticate Users

BR-P-7: Each Portlet Must Securely Transport Sensitive Content

Inter-portlet Communication

BR-P-8: Inter-Portlet Communication Must Be Performed Only by Either Public Render Parameters or Events as Specified in JSR 286

Remote Portlets

BR-P-9: Remote Portlets Must Follow Web Service Standards

Remote portlets must follow Web Service standards defined in the Web Services chapter to secure SOAP messages, verify the sender’s identity, and exchange authentication and authorization data.