diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index 78dc50e10..a95236297 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -110,8 +110,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 	private AuthRequestOptionsService authOptions = new StaticAuthRequestOptionsService(); // initialize with an empty set of options
 	private AuthRequestUrlBuilder authRequestBuilder;
 
-	// private helper to handle target link URLs
+	// private helpers to handle target link URLs
 	private TargetLinkURIAuthenticationSuccessHandler targetSuccessHandler = new TargetLinkURIAuthenticationSuccessHandler();
+	private TargetLinkURIChecker deepLinkFilter;
 	
 	protected int httpSocketTimeout = HTTP_SOCKET_TIMEOUT;
 
@@ -641,8 +642,10 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 			String target = getStoredSessionString(session, TARGET_SESSION_VARIABLE);
 			
 			if (!Strings.isNullOrEmpty(target)) {
-				// TODO (#547): should we (can we?) check to see if this URL is part of our app's namespace?
 				session.removeAttribute(TARGET_SESSION_VARIABLE);
+				
+				target = deepLinkFilter.filter(target);
+				
 				response.sendRedirect(target);
 			} else {
 				// if the target was blank, use the default behavior here
@@ -751,4 +754,29 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 		this.authOptions = authOptions;
 	}
 
+	public SymmetricCacheService getSymmetricCacheService() {
+		return symmetricCacheService;
+	}
+
+	public void setSymmetricCacheService(SymmetricCacheService symmetricCacheService) {
+		this.symmetricCacheService = symmetricCacheService;
+	}
+
+	public TargetLinkURIAuthenticationSuccessHandler getTargetLinkURIAuthenticationSuccessHandler() {
+		return targetSuccessHandler;
+	}
+
+	public void setTargetLinkURIAuthenticationSuccessHandler(
+			TargetLinkURIAuthenticationSuccessHandler targetSuccessHandler) {
+		this.targetSuccessHandler = targetSuccessHandler;
+	}
+
+	public TargetLinkURIChecker targetLinkURIChecker() {
+		return deepLinkFilter;
+	}
+
+	public void setTargetLinkURIChecker(TargetLinkURIChecker deepLinkFilter) {
+		this.deepLinkFilter = deepLinkFilter;
+	}
+
 }
diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java
new file mode 100644
index 000000000..c8953514d
--- /dev/null
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java
@@ -0,0 +1,33 @@
+package org.mitre.openid.connect.client;
+
+/**
+ * Simple target URI checker, checks whether the string in question starts
+ * with a configured prefix. Returns "/" if the match fails.
+ * 
+ * @author jricher
+ *
+ */
+public class StaticPrefixTargetLinkURIChecker implements TargetLinkURIChecker {
+
+	private String prefix = "";
+	
+	@Override
+	public String filter(String target) {
+		if (target == null) {
+			return "/";
+		} else if (target.startsWith(prefix)) {
+			return target;
+		} else {
+			return "/";
+		}
+	}
+
+	public String getPrefix() {
+		return prefix;
+	}
+
+	public void setPrefix(String prefix) {
+		this.prefix = prefix;
+	}
+
+}
diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java
new file mode 100644
index 000000000..8203235b4
--- /dev/null
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java
@@ -0,0 +1,13 @@
+package org.mitre.openid.connect.client;
+
+public interface TargetLinkURIChecker {
+
+	/**
+	 * Check the parameter to make sure that it's a valid deep-link into this application.
+	 * 
+	 * @param target
+	 * @return
+	 */
+	public String filter(String target);
+
+}