ATG Portal makes limited use of J2EE security features in the portal. It calls request.getUserPrincipal() and uses the returned information, but makes no use of contextual security. Portal security is handled dynamically, and is relative to the current community.