For some reason the other posts on this topic disappeared. I’m summing up the solution here so that others running into the problem can fix it.
The problem was that the Spring Security Filter was placed before the PrettyFilter with dispatcher settings for REQUEST and FORWARD. Therefore the Spring Security filter was executed twice, once for the incoming pretty URL and another time after PrettyFaces forwarded the request. The solution for the problem is to remove the dispatcher settings from the Spring Security filter so that it only applies to incoming request and not to forwarded ones.
Do you play Magic?
Get TopDecked MTG, the #1 Magic App, built by players, for players. Free to use, forever.