Preventing users from accesing action.
If you are using Struts 1.0, people often write this sort of thing into a standard base Action class. On entering perform, the Action does a security check on itself, and if it passes, calls another method with the same signature (like, say, execute). Otherwise, it forwards off to whereever.
To store the security roles in Struts 1.0, you can add a public properties to your base Action (like, say, roles), and then use the set-property element to set the roles for each action.
If you use execute and roles for these extensions, you will also be upwardly compatible with Struts 1.1. Just be sure to have your execute method return Exception (which perform can then toss as a ServletException).
Ted Husted, Struts in Action.