The roles attribute is a comma delimited list of roles that are allowed access to the action. If a user is in one of these roles, access is granted. The default behavior is that these roles use container managed security. So what I'm guessing you really want to find out is how to set up user roles within your container.
Here are a couple of links which might help you get started depending on what your container is:
So let's say you've set up roles called "administrator" and "user" for your app, and one of your users's, JohnDoe, has the "administrator" role. Given the following ActionMapping...
...When user JohnDoe authenticates into the system he will be in the role "administrator". When the RequestProcessor processes the request, it will ask the server if the user is in any of the roles allowed by the action as specified in the ActionMapping. Since JohnDoe is in the role of "administrator", he would be allowed access in this case. He would have also been granted access were he in the role of "user". The RequestProcessor may be extended to implement your own custom security if you prefer, instead of container managed security. [ March 15, 2005: Message edited by: Jason Menard ]
Joined: Nov 03, 2004
Wow, that was exactly the info I was looking for. I'll fool with that a bit and see how it works for me.