You have only configured your spring-security filter to handle FORWARD requests, it also needs to handle other types:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
PrettyFaces does not FORWARD the request if it is not handled by the framework, therefore, the dispatch type remains REQUEST, and the Spring Security filter never executes.