I don't think this is the case. It seems to rely on the setting of specific session scoped variables. My source of reference for the implementation of the Struts 2 RolesInterceptor is:
http://nickcoblentz.blogspot.com/2008/12/page-level-access-controls-in-struts-2.html
If you click on the image for the RolesInterceptor, you will see that it appears to retrieve the value of 'role' session variable and cross-references with the roles that are set against the action.
My loginAction contains the following snippet:
I have also tried adding: session.put('authenticated', Boolean.TRUE) & setting USER_HANDLE to a value of 'user'. In both cases this makes no difference. When a user is logged into the system with the 'role' variable set to 'member', the user still receives a HTTP 403 when attempting to go to an action which includes this role in its allowedRoles list.
I would be obliged for further advice.
Thanks in advance