One possible solution would be to have your initPage action place some object in the HTTPSession. Then have all the other actions check for the existence of this object. If it doesn't exist, redirect back to the initPage Action.
If you don't want to put this code in every action, you could implement a Servlet Filter that could perform this task. [ September 12, 2007: Message edited by: Merrill Higginson ]
Hi, If you are planning to go for user authentication then you can use Basic authentication. In this case you can protect the webapp resources using security constraints defined in web.xml. The another one would as suggested by Merrill. I suppose this is the Synchronizer Token pattern way. You expect some token to be available in the request and check for existenece of that token. If token is validated then go ahead else redirect the user to error page. We did it once and had the code in Filter as mentioned by Merrill. Regards, Amit
This situation reminds me of a quote which goes something like..
The trouble with building an idiot-proof system is that the world keeps coming up with bigger and better idiots.
I don't think it's possible to make a system completely idiot-proof. This is just my two cents, but if there's no security risk, and the user just gets an oddly formatted page for his efforts at hacking the URLS, then I say there's no harm done.