we provide a simple REST interface which is secured using HTTP basic auth (for now). We're injecting the "@Context SecurityContext" in the methods providing the REST interface. The securityCtx is being injected into some RequestScoped bean where it's being used to determine the user. Everything works fine that way. But the code is cluttered with all the repeated initSecurityContext() calls in each method, which is not nice at all.
So we thought it should be possible to inject the SecurityContext as a class variable and use some interceptor to inject the securityCtx to the RequestScoped bean. That worked too. But problems arose quickly, as we noticed (in jmeter tests) that we could not switch between users quickly. Calling securityCtx.getUserPrincipal() returned null on subsequent calls to the REST providing bean, as if the securityCtx was not updated/re-injected correctly. The REST bean is a stateless session bean.
Are we doing something wrong, or can this be a bug?