There are several solutions for this.
Create a servlet filter which checks the remote user and the presence of
User
entity in the session. If the remote user is notnull
, but theUser
entity is, then load it from the DB and set it in session. This is concretely answered here: Accessing user details after logging in with Java EE Form authenticationPerform lazy loading in the getter of a session scoped bean which should return the
User
entity. This is concretely answered in 1st part of this answer: Performing user authentication in Java EE / JSF using j_security_checkPerform programmatic login using a real JSF bean action method and obtain the
User
entity directly. This is concretely answered in 2nd part of this answer: Performing user authentication in Java EE / JSF using j_security_check
Unrelated to the concrete problem, you should be using <form action="j_security_check" method="post">
instead of a <h:form prependId="false">
. Then you also don't need that nasty JS hack to change the form's action.