Something will need to be added to deal with this problem: http://en.wikipedia.org/wiki/Cross-site_request_forgery Examples of the problem: http://www.oreillynet.com/onlamp/blog/2007/10/yahoo_susceptible_to_cross_sit.html
A method that would be relatively simple to implement: http://java.dzone.com/articles/preventing-csrf-java-web-apps
Also seriously considering HDIV (HTTP Data Integrity Validator): http://www.hdiv.org Has support for Struts 1.3.