|Subject:||customizing the default requestprocessor|
Response to: customizing the default requestprocessor
I think security is something which should be applied at application level.
Yes you can check security in execute() method of your Action Class but then you have to copy+paste same code in every Action class which may not be very good thing.
You can have separate class containing security code and call it from Action class but what if you forgot to call that method from one of your Action class.This type of bug would be very hard to find.
Also waiting to check if user has rights to perform this action till Action class execute() method means you will have to execute business logic(validation) in your ActionForm class even if user is not allowed to call that Action.