Just add an if
check which checks if the roles are already stored in the session.
if (roles are not stored in session) {
read from header;
get user+roles from database;
store roles in session;
}
Unrelated to the concrete problem, a phase listener is the wrong tool for the job of HTTP request authentication. Consider a servlet filter instead. Therein you can just access the HTTP request and session without the need to extact them from the depths of the JSF API. Note that session scoped JSF managed beans are basically stored as attibute of HttpSession
.
By the way, unless you're using a restrictive (intranet) proxy, are you well aware that the enduser has full control over what s/he can send via request headers?