If I've read the documentation clearly, you still define security through your web.xml deployment descriptors. Then, you can limit access to actions via the struts-config.xml so users in certain roles are allowed, and everybody else rudely rejected.
Check out the struts-config DTD for more info. (I can't think of any better source -- not that I've found.) Maybe the Struts User Guide, but that's just a guess. I don't remember security being mentioned in it.