Here in the last entry,
[urls] /faces/login.xhtml = authc /faces/** = authc
you've told Shiro to authenticate every single unmapped URL matching /faces/**
. This thus also covers JSF resources such as CSS/JS/image files which are auto-included by JSF components (as in PrimeFaces). In effects, when the browser wants to download e.g. the CSS file, it receives a login page instead of the actual CSS content and is hence unable to apply the definied CSS styles. You can see it yourself by entering the URL to the CSS file in the browser's address bar yourself. Instead of the CSS file content, you'll see a login page. The webbrowser is "under the covers" facing exactly that problem.
You need to explicitly tell Shiro to allow unauthenticated (anonymous) access to JSF resources. Those resources are identified by an additional /javax.faces.resource
path (as definied by the ResourceHandler#RESOURCE_IDENTIFIER
constant in JSF API).
[urls] /faces/login.xhtml = authc /faces/javax.faces.resource/** = anon /faces/** = authc