Sample CAS server configuration as it was described in http://shiro.apache.org/cas.html (Complete configuration sample) doesn't require authentication for welcome files defined in web.xml.
INI configuration [urls]:
/shiro-cas = casFilter
/protected/** = roles[ROLE_USER]
/** = anon
When I access URL localhost:8080/shiro-cas/protected/index.xhtml shiro correctly redirects me to CAS server for authentication.
But if I access localhost:8080/shiro-cas/, application redirects me to specified welcome file /protected/index.xhtml without authentication.