The JSP resources usually reside directly or under subdirectories (e.g.
myPath) of the document root, which are directly accessible to the user through
the URL. If you want to protect your Web resources then hiding the JSP files
behind the WEB-INF directory can protect the JSP files, css (cascading style
sheets) files, Java Script files, pdf files, image files, html files etc from
direct access. The request should be made to a servlet who is responsible for
authenticating and authorising the user before returning the protected JSP page
or its resources.