You can't. The container managed authentication doesn't allow that fine grained configuration (which is exactly why 3rd party authentication frameworks like Apache Shiro and Spring Security exist).
Your best bet is to replace the container managed login by a programmatic login. Change the <form action="j_security_check">
by a <h:form>
which submits to a JSF action method like this
public void login() throws IOException {
FacesContext context = FacesContext.getCurrentInstance();
ExternalContext externalContext = context.getExternalContext();
HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();
try {
request.login(username, password);
externalContext.redirect(homepageURL);
} catch (ServletException e) {
context.addMessage(null, new FacesMessage("Unknown login"));
}
}