I'd suggest you read chapter 32 of the
Sun J2EE tutorial for some good information on what your options are for setting up security in a web application.
If you decide to use the "container managed authentication" described in this document, Struts has a way of assigning roles to Action mappings. If you specify roles="x, y, z" in your action mapping, only users who have roles x, y, or z will be able to access the action. All others will be denied access.