You can't stop a user from typing an address in the browser's address field.
Also if it were encrypted, the browser wouldn't be able to find your site.
If you put your content behind a directory that can't by viewed directly from the web (such as under WEB-INF), you can then write a
servlet that delivers this content.
As pradheesh suggested, a filter would allow you to check a user's session scoped credentials to determine whether a request for a particular resource should be granted or not.