Welcome to the JavaRanch, Mikel!
I strongly discourage writing your own security code instead of using the standard
J2EE security system, no matter how many books you see with "login" code examples. For more detailed ranting on that subject, search this forum.
However, your real question is only incidental that that, and the answer to that question is no, the bean is
not copied. It's a reference. Although if both beans are in request scope it might not look that way, since request-scope beans are created (and destroyed) on each view request. So they're not good as state-holders.