OK so the current implementation:
- Has its own CryptoConfidentialKey with random IV for every URL.
- Encodes authentication, DBS URL, and creation date in the (now super long) string in the URL (all encrypted)
On access, it's decrypted, and if the age is below a certain threshold, it's handled, otherwise the user is redirected to the real URL. This creates a short loop through (re)authentication (old resource URL -> regular Jenkins URL (might require auth) -> new resource URL) which seems to work mostly OK – once frames are involved, the Jenkins login screen doesn't like to show in a frame (thanks X-Frame-Options), and it's just an empty page if you're not currently logged in. If you have a session, it's just transparent.
Still seems superior to just go with 404s all the time, and a full reload will fix it (as the top level page will go through the auth loop without frame ).