This week's book giveaway is in the OCAJP forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide 1Z0-808 and have Jeanne Boyarsky & Scott Selikoff on-line! See this thread for details.
Although I never managed to get it working correctly, it is possible to place JSPs there as long as you only forward or include them from the servlet.
BUT, I've found support for this to be server specific, and even version specific. ie if you managed to get it working in your particular container, there is no guarantee it would work if you had to move to another container, or even another version.
I've learnt to be wary of undocumented trick such as these. Better to put a web server in front and block direct JSP access there.
You can not keep a user from typing urls into the browser, you should implement a way to check for their session. If they do not have the session when the page loads then dump them to the main page.
If you also want the URL to be hidden: You just need to manage the process, and you can not keep the url from being visible. You can use frames, but the url can still be found. Only way you can keep the url the same would be to include 5000000 dynamic includes.
Since I disallow direct access to my JSPS, I always hide them behind WEB-INF so that they can only be accessed via a controller servlet. I've never had any problems doing so from any version of Tomcat or Resin. Any container that does not allow this is "broken" and should be fixed.
I second what Bear said. It is also easier to maintain if the users can't access the JSP directly.
Keep in mind that the JSP is compiled into a servlet. If you were writing the servlet yourself, it would be standard procedure to put it in WEB-INF/classes. So keeping the JSP in WEB-INF is logically consistent.