Actually, it may be more basic than that. When you use raw HTML, the URL is exactly as typed. But the
JSF elements often prefix the application context on the submitted URL.
In other words, if your app is deployed under "myapp" (
http://www.myserver.com/myapp), the JSF URL constructed would include the "myapp" part, although that would be stripped again from the URL before the security pattern-matcher got to it.
Another and more devious problem may be because you're doing this as an Action. I'm not sure about when you do a direct View reference, but when you invoke an Action method and your target is a secured resource, you need to include the "redirect" qualification. That's because JSF doesn't track URLs directly, and without the redirect, the submitted request will go in under the old nonsecured URL, even though the target URL is secure. And the container security system vets based on incoming URL, NOT on target resource!
Adding "redirect' (or the "<redirect/> element to a faces-config navigation) will cause the request to be redirected in under the secured URL and that will cause the security URL filter to kick in properly.