JASPIC 1.1 introduced a feature where the container remembers the authenticated session. However, the SAM decides whether the application gets to see the identity that was stored in the container session or something else (see
GLASSFISH-2031). (note though that the session should remain intact even when a SAM choses not the inherit/join it for a particular request)
When the SAM decides that the session should NOT be applied to the request, e.g. by invoking the handler with a CallerPrincipalCallback and a null for the Principal argument, then on GlassFish 4 a protected resource for which the identity in the container session would have access is correctly denied.
However, for a public resource the Servlet's request.getUserPrincipal incorrectly returns the principal from the container session. In case the SAM passed a null for the Principal in the CallerPrincipalCallback and invoked the handler with that, the unauthenticated user should have been associated with the request and hence request.getUserPrincipal should have returned a null.
I've created a unit test at https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/register-session that shows the incorrect behavior. I've also asked Ron Monzillo about the behavior and he confirmed that if the SAM really passes a null into CallerPrincipalCallback then the application should indeed not see anything else than a null from request.getUserPrincipal for that specific request.