Welcome to the JavaRanch, Alex!
I haven't studied up on Spring Security as much as I'd like, but as I understand it, in webapps, Spring Security is piggy-backed on top of the
J2EE standard security and I do understand that fairly well.
J2EE container security is an externally-applied system, so its first line of defense knows nothing of the internals of the web application. It therefore applies itself to what it does know, which is incoming URLs.
The container determines role requirements by pattern-matching the incoming URL against lists
patterns with associated role lists. JSF has a problem with this, since the incoming URL is more of a "session handle" than an absolute resource locator and therefore the URL may still be referring to an earlier page.
To prevent this from happening, use the JSF "redirect" option on your navigation requests. That will incur some overhead, but it will force the URL to match the actual resource being requested so that the proper security rules will then be applied.