This week's book giveaway is in the OCPJP forum. We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line! See this thread for details.
What you are saying sounds basically correct (you using Struts 1.x?). You need to use a web.xml to tell your container about Struts (the ActionServlet). If you define your roles in web.xml you can then define your action mappings to restrict access based on the user's current role (using the roles attribute on the action tag).