CSRF-Protection for JSP
JSP technology provides the <jsp:include> action (or JSTL <c:import>) for including content in the current page, either from a local (web application) resource or from an URL, respectively.
Use the "compile-time" <%@ include %> directive, if the included page is local and non dynamic.
If included page should be dynamic, never let untrusted input to directly form part of the page path (for <jsp:include>) or page URL (for <c:import>). Better use a request attribute, set in the request processing server-side controller class, where the dynamic page is selected (but untrusted input should not be part of the page path/url anyway).
A "white-list" validation scheme (untrusted input may be used only to select from a known list of allowed pages) could be used as well.