Where page maps to a Servlet and the Servlet forwards to whatever JSP I need. Now if you pass parameters in the URL, which you still can, there is nothing you can do to keep people from changing this parameters. What you will have to do is in your Servlet that accepts the request, make sure the parameters that are entered are valid for the request.
If you are relying on the client-side for security, you are doing it wrong. Just hiding the address bar isn't going to prevent anyone from trying to spoof your system.
Take for example an app I am working on. Depending upon roles and ownership rules, different users are allowed to access different sets of records. When a search is performed, only the records that the user is allowed to see are displayed. Clicking on a search result brings up the record's details.
If I relied on the fact that the user can't see a 'forbidden' record to click on it, I'd be doing it completely wrong.
When the request to view a record's details comes in, I check on the server side whether the user has permission to access the record or not. That way, anyone trying to spoof the system by typing in URLs and changing paramters is still unable to view records that they are not supposed to.
I also encrypt the parameter values so that true keys are not exposed on the client side. This makes it harder to spoof URLs as well.