I’m just guessing here but I think security constraints are applied before a request enters the filter chain. So JAAS will see the pretty URL instead of the one PrettyFaces forwards to. I think you will have to adjust the rules to match the pretty URLS instead of the viewIds.
Do you play Magic?
Get TopDecked MTG, the #1 Magic App, built by players, for players. Free to use, forever.