Problema com ajax - jsf - web.xml

Olá, bom dia.

esbarrei em um problema com requisição Ajax usando um commandButton do bootsfaces, quando implementei a segurança no web.xml a requisição Ajax do index (seria a próxima pagina) está sendo bloqueada.

alguém já passou por algo parecido? Sou meio novato na área e estou quebrando a cabeça com isso, segue o meu web.xml e um exemplo do commandButton.

Obs: antes de implementar a segurança os eventos Ajax funcionavam.

Obrigado pela ajuda ^^.

<b:commandButton 
                   value="Reprocessar"                      		 	
                   style="margin-right:10px;"           
                   ajax="true"                      		 	                		 	                    		 	
                   onclick="ajax:gerenciaMQBean.moveMessages('APOLICE')">
 </b:commandButton> 



<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">  
  <display-name>CentralBonusManager</display-name>
  <welcome-file-list>
    <welcome-file>/index.jsf</welcome-file>    
  </welcome-file-list>   
   <servlet>
   	   <servlet-name>FacesServlet</servlet-name>
       <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
       <load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
       <servlet-name>FacesServlet</servlet-name>
       <url-pattern>*.jsf</url-pattern>
       <url-pattern>*.xhtml</url-pattern>
	</servlet-mapping>	
	<context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>server</param-value>
    </context-param>   
	<security-constraint>
		<web-resource-collection>
	    	<web-resource-name>Protected Resources</web-resource-name>
	      	<url-pattern>/*</url-pattern>
	    </web-resource-collection>
	    <auth-constraint>
	    	<role-name>nit2</role-name>
	    </auth-constraint>
	</security-constraint>	
	<security-constraint>
		<web-resource-collection>
	    	<web-resource-name>All Resources</web-resource-name>
	      	<url-pattern>/image/*</url-pattern>
            <url-pattern>/css/*</url-pattern>
            <url-pattern>/js/*</url-pattern>
            <url-pattern>/javax.faces.resource/*</url-pattern>
            <url-pattern>/login.jsf</url-pattern>
	    </web-resource-collection>
	</security-constraint>  
  	<login-config>
    	<auth-method>FORM</auth-method>
    	<realm-name>ActiveDirectoryRealm</realm-name>
    	<form-login-config>
        	<form-login-page>/login.jsf</form-login-page>
        	<form-error-page>/login.jsf</form-error-page>
    	</form-login-config>
	</login-config>  
  	<security-role>
    	<role-name>nit2</role-name>
	</security-role>
</web-app>

bom… depois de algumas pesquisas e testes consegui resolver o problema, segue a solução.

Foi adicionado a tag POST dentro do security

<security-constraint>
    <web-resource-collection>
    <web-resource-name>Protected Resources</web-resource-name>
         <url-pattern>/*</url-pattern>
         <http-method-omission>POST</http-method-omission>
     </web-resource-collection>
     <auth-constraint>
         <role-name>nit2</role-name>
     </auth-constraint>
</security-constraint>