Anybody know a means of detecting a spoofed referer (sic) in the HTTP header? I would like to ensure that all access to pages to our site after the login page originate from our site.
This is not possible. This information is passed by the client (usually) through the browser. It is a simple matter for the client to lie. You probably want to to look at JBoss security.