Actually didn't you mean to say that welcome.jsp told you who you logged in as using request.getUserPrincipal()?
Did this work the first time around? Because I am having the same issue except I invoked a servlet after successfully logging in. And when I tried to get a Principal object via request.getUserPrincipal() it came back null.
I think I have it now and answered my own question too.
Your index.jsp is not set up as a secured page in your web.xml just as my servlet wasn't. So you don't get a Principal object.
Strange. I doubt that it is the behaviour specified. From the spec:
Returns a java.security.Principal object containing the name of the current authenticated user. If the user has not been authenticated, the method returns null.
This spec is obviously ambiguous, but I would expect people to interpret it so that once a user has been authenticated, getUserPrincipal() always returns the associated Principal object whether the request is for a protected or unprotected resource.