If the JSP is in the WEB-INF folder, it can't be accessed, unless it is named in the web.xml file. Then, through the name, you can make it part of the security constraint.
You CAN indeed place a security constraint on a named JSP outside of WEB-INF. You need an alias for the JSP, and the constraint is placed on the ALIAS. When someone calls the JSP using the alias, the constraint is triggered. However, AND HERE IS THE RUB, if someone calls the JSP directly through the URL, the security constraint is not invoked.
Moral of the story? Put those darned JSPs in the WEB-INF if they need to be secured.