For many modern MVC framework, there is an expectation that all web client requests will go through a front controller. In the context of Spring MVC, the front controller is the Spring Dispatcher Servlet. Web resources, such as JSP pages, that are typically accessible as web resources must not be directly accessible to web clients..
A common approach for disallowing direct access to JSP pages is to putting JSP pages in the WEB-INF folder. Any resources located in WEB-INF folder, including JSP pages, aren't URL addressible.
HOW IT WORKS
By placing JSP pages in the WEB-INF folder, web clients can't directly access the JSP pages. However the developer can use JSP pages in the WEB-INF folder when specifying the View for URL Mappings.