Place the JSPs under WEB-INF, and they won't be accessible from the outside. Note that accessing them directly shouldn't be a big concern, because all the users would get is an error, or an empty page, given that all the data accessed by the view wouldn't be available, since the controller hasn't been invoked.
Regarding static resources, if you don't want the users to be able to access them without access control, then also put them under WEB-INF, or outside of the webapp directories, and access them through a controller which checks that the user may access them, reads them, and writes them to the response.