1. Is this a valid approach? Yes, you can use this but this will not give fine grinned authentication/authorization for your portlets. 2. How can the ASA be leveraged to protect portlets? Can the ASA be configured to show/hide portlets based on policies? ASA has multiple providers like Identity Asserter, Authentication Provider, Authorization Provider and Adjudication Provider which can help you to configure what you are looking for. Identity Asserter - Asserts the SMSESSION cookie and passes the USERID to weblogicAuthentication Provider - Can authenticate web and/or java client based login requestAuthorization Provider - Authorizes the requests which has siteminder session cookie You can find more information about each module in ASA documentation. You can download the product and documentation if you have valid support contract.