Security constraints in web.xml only work if you're using container-based security. That means among other things that you have to have designed the webapp to let the server manage the authentication (login) and authorization processes. Which I recommend, but it's not appropriate in all cases.
The best way to hide the raw .xhtml is to put it underneath the WEB-INF directory. Files and directories inside WEB-INF are effectively invisible to external access.
An IDE is no substitute for an Intelligent Developer.