I've seen this solution work very well. When you extend the ActionServlet, you can override the "processPreprocess" method to determine if the user has the neccessary permissions, if the user has a valid session, etc... long before ever getting to the Action class (If you're using the 1.1 version, then the "processPreprocess" method is in the RequestProcessor now).
With this approach, you don't need to check if the session is valid in the Action classes. Another problem that this solution helps out with is say a user has logged in and has let the session time out while looking at a page. If the user then clicks a button like an update or something, control may go into the ActionForm before making it to the Action instance. What's going to happen if the ActionForm attempts to use the session (which has timed out). By putting the check in the front controller, you're able to save checking for a valid session in the ActionForm and/or Action classes. Chuck -- Sent via jApache.org -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>