Here is what I do. I have a
Servlet for every single JSP. Sometimes, all the servlet does is forward to the JSP. So my url never shows a .jsp in the address bar. It will only be something like:
http://localhost:8080/app/page Where page maps to a Servlet and the Servlet forwards to whatever JSP I need. Now if you pass parameters in the URL, which you still can, there is nothing you can do to keep people from changing this parameters. What you will have to do is in your Servlet that accepts the request, make sure the parameters that are entered are valid for the request.