I'm suffering from Morning Confusion again. Meaning I
think I've an idea what you're getting at, but I'm too thick-witted to be sure.
So I'll work backwards and hope it helps. Forgive me if I repeat things you already know. Not everyone here may.
First of all, there's the constraint that a login page cannot be JSF. That's because container-managed security authenticator (j_security_check) doesn't route a normal web request, if routes a "fast-track" internal request. So login pages need to be able to operate without controller
servlets, including the FacesServlet.
Secondly, the container URL filter is exactly that. If looks at the original page request URL to determine what roles are permitted for that URL. Notice I didn't say anything about the page. It's the URL that's vetted, not the actual content request. That's why you need a <redirect/;> navigation element in faces-config (or, for JSF2, you can also declare via annotation).
Thirdly, (and I
think this is your actual problem), the welcome page request, like login requests are "fast-path" dispatched. I think, in particular that this may be interfering with the URL screening for container-managed security, although there are reasons why I hope not.
Normally, my welcome page itself is public. It may say something like "warning: trespassers beyond this point will be shot", but I still prefer that anyone can tell when they've reached my site and whom to contact if they need admittance.
I don't know whether any of this helps at all, but I figured it probably can't hurt.