I have double checked the code.
There are no session.invalidate() and no webAuthentication.logout() calls in between.
Maybe the session is turning out to be different. What we are dealing with is the Tomcat session at the server. Now if the JSF bean changes anything in the request to indicate a different session, then the previous authentication is lost.
I am not an expert in JSF. So I cannot answer if this is a bug.