Consuming uPortal Groups as Roles

In the portlet.xml you use something like

Declaring a role in portlet.xml aliasing back to a uPortal Group
<security-role-ref>
  <role-name>myPortletAdmin</role-name>
  <role-link>local.107</role-link>
</security-role-ref>

The 'local' bit refers to the uPortal group source as defined in compositeGroupServices.xml [1].

The '107' bit in my example refers to the database ID in the case of locally managed groups.

To access PAGS groups you would use something like.

Role link to a PAGS group
<role-link>pags.2</role-link>

Finally in the code you do this

Querying for role / group membership in your JSR-168 Java code
boolean allowed = request.isUserInRole("myPortletAdmin");

Footnotes:
[1]: In theory there are alternatives to configuring your group stores and their keys in compositeGroupServices.xml; in practice compositeGroupServices.xml is the method everyone uses.)