This is a very informative article on how WebSphere Portal security works. It also does a great job of explaining WebSphere app server security, and how external security managers can hook in. It was written by the guys who architected the whole Portal security, so it is from the horses mouth, so to say.
(note: this is a PDF document link)
Labels: Portal, security, WebSphere