That's exactly what I'm trying to do as well - get the user name at the start of the session, one time only.
It seems if I use the Tomcat valve (Tomcat 6 or 7) as opposed to the filter method, there are fewer checks for authentication.
I suspect the filter gets the principal for every JSF Lifecycle. I'm using JSF 2.0, Facelets.
I have tried a few methods to do this. One that might work out is protecting only a single folder or page and redirecting.
But I really don't like all those redirects.
I first hit index.xhtml redirect to protected page and get the name, redirect to a main page.
I could not find a way to protect index while not protecting everything else.