This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Assuming that you never want to allow direct browsing to the pages, you could move the 'resource' folder under WEB-INF and access them through methods on the Context like "getResourceAsStream()" or even through a include() or forward() request.
You might also write a servlet Filter that would selectively allow or deny access.
Alternately, you can use Apache in front of Tomcat, and restrict access with Apache web server settings.