The correct solution is to keep all jsps files under the WEB-INF folder (i.e. /WEB-INF/jsps) where they cannot be accessed by the browser at all. All requests then MUST go through a controlling servlet.
"The good news about computers is that they do what you tell them to do. The bad news is that they do what you tell them to do." -- Ted Nelson
J. Kevin has given you the correct answer. The JSPs should not be accessible via URL at all. And if someone types a bad URL (such as directly to a JSP -- but how would they know how to?) they should get a 404 error.