This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
If I've read the documentation clearly, you still define security through your web.xml deployment descriptors. Then, you can limit access to actions via the struts-config.xml so users in certain roles are allowed, and everybody else rudely rejected.
Check out the struts-config DTD for more info. (I can't think of any better source -- not that I've found.) Maybe the Struts User Guide, but that's just a guess. I don't remember security being mentioned in it.