Preventing direct URL access in a J2EE environment

[Kevin Conaway <kevin.conaway () gmail com>]

For our application, we would like to prevent users from requesting
application resources directly.  E.g. browsing to
http://localhost/app/method.do?id=5&type=3 instead of actually
clicking on a link that the application provides.

We would like to do this without a major impact on our code.  I was
thinking of using the following scenario:

- Currently we have tag libraries that help build all our URLS.  These
tag libraries would be modified to include a strong cryptographic
token that is unique to each URL/User combination.  - The token/URL
combination would be stored in the application context for a
pre-determined amount of time.

- Next, we would use a Servlet filter to intercept the URL.  First,
deny URLS requested without tokens. If a token is passed, verify that
matches the token stored in the application context for the requested
URL.

For the token, I was considering using SecureRandom to generate a
random number and compute a hash of the random number and the URI
being requested.  This would be stored along with with URI and the
user Id.

Could anyone point out any pitfalls I need to be aware of, or if I'm
going about things the wrong way?

Thanks

Kevin