I think that in your jboss-web.xml or jboss.xml files, you can specify the default principal to be used when not authenticated using the <unauthenticated-principal> xml tag.

When you call the getUserPrincipal, the getName method should in theory return whatever value is in your unauthenticated-principal tag.

Look into the DTD for the XML or in the JBoss documentation on security, there should be some helpful things in there.