Are you using Tomcat outside of JBoss, or with the Tomcat/JBoss bundle?
Georg, I don't know what your code for the SecurityAssociationHandler or UserPrincipal does, but you don't say whether your user is logged in or whether you have set a security-domain in your jboss.xml.
If you have set a security-domain, then you must login with an authorized user to get past the security restrictions.
Also, if you want a non-null Principal from the web server, you'll need to secure your servlet/jsp. If you don't have it secured, it will come back as null, if I remember correctly. That's at least the way it works in Jetty, so it's probably pretty similar.
If you secure that, you can skip all of the SecurityAssociationHandler stuff.
Another thing is if you're already in the JBoss/Tomcat container, all you have to call is:
Context ctx = new InitialContext();
without passing in the hashtable.