I only want to allow requests that originate from an application event. For example, clicking on a link in the application or submitting a form for processing.
I don't want to allow the user to just enter a url in the browser address bar after they have been authenticated.

For example, a user accesses a search page which returns a list of orders which they are authorized to view. Each order is accessed by clicking on a link which brings up the order detail. The link contains the order id which uniquely identifies the order. A malicious user could simply start entering order detail url's with different order id's. In this case, I would have to add authorization code prior to returning an order to ensure the user was authorized to view that order.

I know ACEGI offers ACL (access control list) authorization, and I know there are other ways to authorize access, but I want to try and reduce the number of authorization points I have to manage.

I know one solution would be placing a dynamic token in the url and verifying it against a token in the session. If they match, then allow access, else deny access. Struts had something like this built in to their <html:link .../> tags and the <html:form .../> tags.

The bottom line is that all events should originate from the application, otherwise they should be considered malicious.

Any ideas, references, or experiences would be appreciated.

Thanks.