One way is to just not make it a JSF managed bean. Make the bean associated with the login form a request/view scoped one and put the User
instance in the session scope youself.
E.g.
User user = service.find(username, password);
if (user != null) {
externalContext.getSessionMap().put("user", user);
}
It'll be available as #{user}
in EL scope (and thus also be injectable via @ManagedProperty
in other beans on exactly that expression). In the find()
method, you can just return either InternalUser
or ExternalUser
accordingly.