No there is not. The EJBContext.getCallerPrincipal() is the only mechanism for accessing the user.
I have implemented a solution, that though not optimal, provides the required functionality. I provide a facade - for server side java objects (not beans) - that delegates a call to a stateless session bean and retrieves the principal from the context of the bean.
It does the job but it also highlights the fact that at some point on the server side it is likely that regular java classes are going to require access to security. The alternative is that everything that uses security must be a bean, a bit restrictive perhaps.