I've created a "User" class which sould be request scoped with the properties "name" and "password".
Also I've created a AuthenticationService which is session scoped and injects the User with @Current (so the User from the request scope must be injected).
Finally I've got a xhtml page which you can enter the user and the password and press a button which triggers an "login" action in the AuthenticationService.
(very similar to the jsf-web-example of chapter 2 of the introduction guide. only with jsf 2.0)

When I am in the login action the properties "name" and "password" from the injected user are null.
But the setters (for name and password) of the User were called before the action was invoked.

So I suppose there are two User objects in two different scopes.
Actually it should always be the request scope.