In the consturctor of com.sun.enterprise.security.SecurityContext an initiator instance (PrinicpalImpl) is created using the com.sun.enterprise.security.web.integration.PrincipalGroupFactory and the username passed to the consturctor.
This principal instance is then added to the subject.
If the Subject allready has a Prinicpal from a LoginModule then the initiator Principal is correctly not added to the Subject as the PrincipalSet ignores the duplicate.
The method SecurityContext.getCallerPrincipal() returns the initiator and not the Principal contained in the Subject. Therefore the LoginModule is rendered useless.
It seems that in V4.1-b0.1 this has been fixed only for one of the consturctors SecurityContext(Subject).