I was going to suggest using EJBContext and its getCallerPrincipal() method, but you mentioned not you don't use container managed auth/auth.
You said you don't want to use Producer because a stateless bean has no notion of sessions. While that is true, you don't need to worry about it. You can inject an instance of a class annotated with @SessionScoped (use the version from javax.enterprise.context, not javax.faces.bean though) and the EJB container should take care of injecting the correct value.
Specifies that a bean is session scoped.
The session scope is active:
during the service() method of any servlet in the web application, during the doFilter() method of any servlet filter and when the container calls any HttpSessionListener, AsyncListener or ServletRequestListener.
The session context is shared between all servlet requests that occur in the same HTTP session. The session context is destroyed when the HTTPSession times out, after all HttpSessionListeners have been called, and at the very end of any request in which invalidate() was called, after all filters and ServletRequestListeners have been called.
Sunny X Narula wrote:This is a design problem not a general java problem.
John de Michele wrote: