ok here is the situation. users login to their system and their login_id is placed somewhere in the system. Now they have a link to the struts enabled web-app. Only users with certain roles can use the webapp. These roles are in the database with the login-ids. I don't know anything about struts in-built security. But i was thinking the action validates the user before it forwards to the jsp. By checking the database. What is the best way to do the above.