There are several options you have for protecting data. One is to implement container managed security to protect certain directories...another is to protect certain directories with filters. Either way...once the user has logged in you can associate their username with the pdf file that they have submitted and then let them view it.
The pdf file could either be stored in a database or on the filesystem.
As far as WEB-INF - nothing behind WEB-INF is directly accessible. Typically you put
JSP pages in a directory under the web-app context directory that you can display to the user and any servlets, handler classes, or beans that you use would sit behind the WEB-INF file in the classes directory.
Your question is quite broad so you might first want to figure out how you are going to have users login then figure out how they can access their PDF files.