First and foremost.
User-designed login/security systems are almost invariably extremely insecure.
J2EE has a built-in standard security system. It is well-documented, has a history of actually
being secure, and the J2EE knows how to work with it, which is more than can be said for user-designed security code. I highly recommend it.
However, if you MUST donate yet another systems to be the play-toy of hackers around the world, don't mess around with all this JSF-specific logic. Just define a session-scope backing bean, inject it into your login bean and use POJO property access methods to set and get the values you want. You can then inject that same object into any other
JSF managed beans that need access to the user information.
There is no need to obtain the FacesContext. JSF will set things automatically for you if you design according to Inversion of Control (IoC) principles with no JSF-specific code required at all.
If you have non-JSF components in the webapp (
servlets and/or JSPs), a JSF session-scope object is the same thing as an ordinary J2EE session object and can be retrieved the same way as any other session-scope object. The sole difference is that JSF will automatically construct and initialize manageg beans as needed whereas in straight non-JSF logic you have to do that stuff manually.