JSF is based on Inversion of Control. So the preferred means of getting info from one bean to another is to inject the target bean into the source bean and have the source bean invoke the appropriate "set" method on the target bean.
I do not recommend using JSF-specific code to find beans. And if you do, using the EL subsystem is definitely the long slow way around, since for session and app-scope objects, you can use the facesContext to get the HttpServletRequest and use that to get the session/getAttribute or get the application attribute without having to parse and interpret EL. But it's even simpler to use a Managed Property and let JSF do it for you automatically and do it on a platform-independent (POJO) way.
As a side note, however, the technical term for webapps that implement their own security system is "hacked".
J2EE has a standard security manager that's much more secure, requires minimal coding effort, and has had over 10 years to get all the bugs out, to boot.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.