5 Replies Latest reply on Dec 14, 2017 11:22 AM by leone2015

    Injecting @SessionScoped bean into Filter doesn't match jsf


      I am having a weird error. We are using a servlet filter to do authentication checks and holding user state in a @SessionScoped bean.  it all seems to work fine except that when the session is invalidated either by session.invalidate() or by a re-deployment, then our @SessionScoped bean injected into the filter will be a different instance than the one available to JSF.

      Steps to reproduce:

      1. navigate to page, both filter and JSF print same object id ex: Authenticator@4a0c85dc

      2. click login

      3. reload reload page, filter and JSF continue to print same Authenticator reference

      4. click logout

      5. reload page, filter and JSF now print different instances of Authenticator.

      6. click login

      7. JSF instance of Authenticator contains user, filter instance does not.

      Here is the code we are using, if anyone has any idea what we are doing wrong, it would be greatly appreciated.


      public class SecurityFilter
           implements Filter {
           Logger LOGGER;
           private Instance< Authenticator > authenticatorInstance;
           public void init(
                final FilterConfig arg0 )
                throws ServletException {
                // NO OP
           public void doFilter(
                final ServletRequest request,
                final ServletResponse response,
                final FilterChain chain )
                throws IOException, ServletException {
                Authenticator authenticator = authenticatorInstance.get();
                LOGGER.debugv( "authenticator:{0}", authenticator );
           public void destroy() {
                // NO OP


      public class Authenticator
           implements Serializable {
           private HttpSession httpSession;
           private String user;
           public String login() {
                this.user = "username";
                return "SUCCESS";
           public String logout() {
                // Clear the session
                if ( httpSession != null ) {
                return "SUCCESS";


      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml"
      <ui:composition template="/WEB-INF/templates/restricted-layout.xhtml">
      <ui:define name="content">
           <h:form id="login" prependId="false">
                <h:commandButton id="loginButton" value="login"
                <h:commandButton id="logoutButton" value="logout"
                Prints out object id: #{authenticator}