Put your html file inside the
WEB-INF folder of your web application. That's the only way (I know of) that you can prevent the user from directly accessing a web resource on your server!
Of course it also means you cannot use a response.redirect() to access the web page and would have to use a forward() instead. In fact I don't think there is any way you can hide a resource to which you redirect since request for any redirected resource comes ultimately from the browser itself.
Just out of curiosity - why can't you use jsp instead of html? Good
pattern would dictate that all your files be '.jsp' anyways?