The approach you describe eventually allows to plug in one's own permission system at the Action level and read the entire permission-action matrix from everywhere. But then you also say that assignment of permission is static after the server is started. So where is the gain?
I can already assign roles to Actions since Struts 1.1. The roles are application specific, and I have to know their names anyway. I can use the AS user provisioning to assign roles to users (Tomcat 5 has a nice Admin interface to assign roles to users and groups). I cannot have users delegate roles there, but the software you describe here cannot do this either. You just say that this can be done elsewhere, but this outside application could also set Servlet roles (permissions) in a hierachical way. Where is conext to your example and what's the gain ?
Please advise, I might be missing something.
cannot do this either. You say that one can do that elsewhere, but your article is not about a permission system.