The RuntimeUserService will not work for this since the logged in user is correctly removed from TLS before request processing hits this filter. In order to do this we need a strategy object of retrieving the user from the session.