||Security in Struts: User Delegation Made Possible|
Response to: checking constraints
I agree with you that the Action classes should not be bothered with the security-logic. The article explains how to declare the security-logic configuration but leaves the choice of the class where you verify that the user has the necesary permission up to the designer as explained in the paragraph :
The check that the user has the necessary permission to call a certain action in the application can easily be done in a ServletFilter, but other solutions are possible. For example, using the Tiles framework, it is also possible to create a special, tabbed-layout JSP that will hide the tabs that the user is not granted access to; you could create a tag library that provides you the tags for the use in the layout JSP. Just choose the approach which fits your architecture best.
The RequestProcessor is indeed a good location but a ServletFilter is equally suited, it just depends in what the flexibility is that you need. You might want to be able to switch off the security checks during development by commenting out the mapping of the ServletFilter in the web.xml but other solutions are certainly possible.