It should be usefull to have a possibility to automatically invoke a xaction file at startup, something like:
<org.pentaho.core.session.PentahoHttpSession scope="request">security.xaction</org.pentaho.core.session.PentahoHttpSession>

This is usefull when you have standard params send to the server which should be checked by each request. E.g. when you pass the department to the xaction files, you want to execute some rules if the current use has access to this and raise an exception if no access.

The idea is that the above defined xaction is executed by each request, before the xaction itself is invoked. This will give us a good security filter.