Ah, now I got it. With *.xhtml your security constraint was _not_ matching the incoming request URL but the forwarded URL. Yeah, this may lead to some weird problems. I guess this should be added to the FAQ.
Do you play Magic?
Get TopDecked MTG, the #1 Magic App, built by players, for players. Free to use, forever.