According to the API docs for javax.xml.ws.WebServiceContext,
the "getUserPrincipal" method should return null when the user has not been
authenticated, and should only throw "IllegalStateException" if the method is
called while no request is being serviced.
The implementation in com.sun.enterprise.webservice.WebServiceContextImpl
actually throws the IllegalStateException for the case above where it should be
The code is trying to get the user principal from the HttpServletRequest, if
there is one, and otherwise from the directly set principal (for EJB3
endpoints) if that is set. However, if there IS an HttpServletRequest, but
just no authenticated user, the method should return null rather than throwing
the exception at the last line.