The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.
The HDIV project recently released version 2.1.0.RC2 of their Java Web Application Security Framework. Among HDIV's features is that it guarantees integrity (no data modification) of non editable page data when transmitted from the browser to the server, confidentiality and generic validations for editable data.
MonkeyFist is a dynamic request forgery attack tool released at Black Hat USA 09. It allows you to easily pull of dynamic request forgeries using different scenarios such as redirects, pages, POST based attacks, and even fixation type attacks.