C'mon guys. Is this question too dumb or to complicated to answer?
you might ask this in the PicketBox forum (which is about JBoss security): http://community.jboss.org/community/picketbox?view=discussions
Is your principal a custom principal class? I found this forum thread about a bug using custom principal classes: http://community.jboss.org/message/531986