Our team had just upgraded Seam 2.0.x to Seam 2.1 and found out that there is some strange code regarding identity management.
We are using Jboss WebAuthentication and Tomcat ExtendedSingleSignOnValve to login our users programmatically in JBOSS container, and everything was working perfectly. We just had to extend Identity class to delegate getUserPrincipal() to facesContext.getExternalContext().getUserPrincipal(). We also made it possible to propagate security context to EJB layer with web.xml security-constraint (just mapped it to /* without any auth-constraints configured), so everything was also ok with EJBContext.getCallerPrincipal().
As soon as we have updated Seam to 2.1, we started getting funny StackOverflowError messages. While investigating, we have found IdentityRequestWrapper which just delegated getPrincipal() call back to Identity.
We actually had no problems disabling IdentityFilter with dummy component installed with APPLICATION precedence (which is not even a filter, just an empty class), but all our guys are wondering - why it had been introduced. Could you please clarify a bit, we are going to keep on with Seam and we would not like to have a wrong way with our security subsystem.
This link got the answer http://www.seamframework.org/Community/Seam21GAPlainJ2EESecurityUserPrinicpalIsNull
I add tag web:identity-filter disabled set to 'true' to components.xml and everything is working fine.