What you can do is create a list that is injected in the application scope and append each authenticated user id to it. no need to append the whole objects to the application scope.
thank you for your answer. But the problem of your solution is, if the user is session timeout, his id is till in application scope....
The Seam way would be to use an @Destroy method on a session-scoped object to remove the user id from the application context.
The ordinary Servlet way would be to implement HttpSessionListener.
The solution I found to my app was to create a JavaBean with login() and logout() methods.
The login() is mapped using the <security:identity authenticate-method tag in components.xml
The logout() is mapped using <event type="org.jboss.seam.preDestroyContext.SESSION" tag in components.xml
If the user succesfull logins the system adds him to a application-scoped list.
When the user logs out the system removes its information from this list.
It has worked very well.
I hope I've helped.