I'm not asking about PORTAL resources. I'm asking about PORTLET resources. They're not needed to login.

Consider portlet created with Google Web Toolkit. Entire portlet is compiled to big JavaScript file. And this big JavaScript file can be downloaded by anybody without even logging into portal.

These kinds of things should be opened as bugs. Jelmer, another community member, has been one of the harder voices on Liferay with respect to security...

For the GWT portlet, well in Liferay an admin can remove guest view for the portlet. I would expect that if guest view access was removed, then I should not be able to pull script.

But just because I expect it would work that way doesn't mean that Liferay does, it doesn't mean that they've considered this, and it doesn't mean they wouldn't share the same expectation.

It could just mean that it hasn't been reported as an issue and therefore hasn't been addressed.