I have a session bean, which requires me to log in. I successfully get a Principal 'admin' for the user. Now, when I call a session bean that does not have the constraint, I get back a Principal 'everyone', which is the role of the unauthenticated user I defined. I feel, that if the user is logged in, I should get back the 'admin' principal, not the unauthenticated principal. Is this a bug ?? Are there any easy workarounds ??