Is there any sample project illustrating how to use container's declarative security in Struts? The Struts text book I read doesnt even mention the security support in Struts (not even the 'roles' attribute in <action> . So I'm just wondering if there is any sample I can study. Or is there any good Struts book that covers security in Struts.
There is a bit of a disconnect between J2EE declarative security and Struts. In J2EE security for web applications, you declare security for a servlet and method (doPost, or doGet). The trouble with this model in a Struts application is that there is only one servlet (ActionServlet) in a struts application. Therefore, all you can really do using this model is an "all or nothing" security for the whole application.
By specifying roles in your action, you tell the RequestProcessor to check the security role before calling the action.
You can also implement security by creating filters, or by extending the Struts RequestProcessor.