Well, your session stores j_username & j_password.
If you call restricted session, then JBossSecurityMrgRealm comes to play ( as interceptor )
and creates pricipal/roleset/whatever else
based on those request parameters.
If you call for non-restricted stuff, then
this interceptor is not called -> you got no
principal bound to your request.
To solve this you can subclass this interceptor
to work even on unrestricted requests.