Actually, @djmj, the ?org.ocpsoft.rewrite.join.id=blah is not a security risk because it is only used internally. It is removed before the URL is sent to the client. This is the same as using ?faces-redirect=true – JSF removes the parameter and it does not appear on the client side.
Do you play Magic?
Get TopDecked MTG, the #1 Magic App, built by players, for players. Free to use, forever.