To hide passed parameter actually you need to submit the form. You should prevent the default behavior of the click event and replace it with the form event. Do it like in this example

<s:form id="f1" action="someAction">
  <s:hidden name="param1" value="value1"/>
  <s:url action="someAction" var="act"/>
  <s:a id="a1" href="%{act}">Go Action</s:a>
  <script type="text/javascript">
    $(document).ready(function() {
      $("#a1").click(function(event) {
        event.preventDefault();
        $("#f1").submit();
      });
    });
  </script>
</s:form>

No a URL is a GET request. If you want to POST you can do a post request with a form. If you want a button or link to do a post request, best to use JS/jQuery to hide the form and tie the buttons/links click event to submitting the form.

Struts2 has no control over the client side, there it's just HTML, CSS and JS.

As mentioned by JB Nizet, if it is about securing your information see the discussion here: How to send password securely over HTTP?

There is little issue sending most data in a get request (other than a password!) because if it is a form someone can readily see the content of the form, where seeing the parameters in the url is certainly harder.

From a server security stand point you should always assume the client can and will be able to send the worst possible data. That is why the validation framework in struts2 is so easy to use, and unlike primitive web programming systems, type conversion is a huge help. If you have a property that is an int and use that in a query you know it will be an int and not a String. If you need a String better use an Enum to ensure the value is allowed.