Erro console do navegador 403 forbidden

Bom dia estou desenvolvendo uma aplicação com JSF 2.2 - SPRING 4 - PREMIFACES 5 e estou sofrendo com um erro de carregamento ‘403 forbidden’

erro jsf primefaces spring.jpg1366×768 316 KB

Fazendo teste tirei a segurança do spring 4 e funcionou normalmente minha configuração do spring é:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans
xmlns=“http://www.springframework.org/schema/security”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
xmlns:beans=“http://www.springframework.org/schema/beans”
xmlns:aop=“http://www.springframework.org/schema/aop”
xsi:schemaLocation=“http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd”>

<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> 
    <beans:constructor-arg ref="sessionRegistry" /> 
    <beans:constructor-arg value="/session-expired.htm" /> 
</beans:bean>

<beans:bean id="sas"
    class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean
                class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
                <beans:constructor-arg ref="sessionRegistry" />
                <beans:property name="maximumSessions" value="1" />
                <beans:property name="exceptionIfMaximumExceeded"
                    value="true" />
            </beans:bean>
            <beans:bean
                class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
            </beans:bean>
            <beans:bean
                class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
                <beans:constructor-arg ref="sessionRegistry" />
            </beans:bean>
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

<http auto-config="true" use-expressions="true" >
    <!--  <intercept-url pattern="/paginas/*" access="isAuthenticated()" /> -->
    <intercept-url pattern="/pagAdmin/**" access="hasRole('ROLE_ADMIN')" />    
    <intercept-url pattern="/pagDensenvolvedor/**" access="hasRole('ROLE_DESENV')" />
    <intercept-url pattern="/pagRestrita/**" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/pagPublica/**" access="permitAll" />        
    
    <form-login login-page="/pagPublica/login.jsf" 
        default-target-url="/pagPublica/login.jsf" 
        authentication-failure-url="/pagPublica/login.jsf" 
        always-use-default-target="true"/>
    
    <access-denied-handler error-page="/pagPublica/login.jsf"  />

    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
</http>
    
<beans:bean id="authProvider" class="br.com.controle.LoginControlador">
    <aop:scoped-proxy />
</beans:bean>

<beans:bean id="userSession" class="br.com.controle.LoginControlador" scope="session">
    <aop:scoped-proxy />
</beans:bean>

<authentication-manager>
    <authentication-provider ref="authProvider" />
</authentication-manager>

</beans:beans>