You define security roles for the users of an OpenCAF application in the same way that you define security roles for a portlet application. For OpenCAF projects that do not contain any portlets, you define security roles directly in the WebContent\WEB-INF\web.xml file of the project in Software AG Designer as follows:

For more information about adding security roles to a portlet application and mitigating security vulnerabilities in portlets, see Security in CAF Applications.