Why can't we access resources using URL, inside the WEB-INF or META-INF folders. But we are able to access all resources that are outside this folder using URL.

Because these are stuffs that web client shouldn't access and accessing them is dangerous for web application. Assume there are some configuration files that client shouldn't be aware of. So these files go inside WEB-INF folder.

Besides those inside WEB-INF and META-INF, you need to protect those resources outside WEB-INF else the client browser will be displaying the contents of your webapp which in most cases will be your JSP pages. This will happen when the client types the url until the webapp name like http://localhost:8080/testapp. This can be protected by defining a welcome-file list for the web-app.