> However, if I then navigate to a non-secured page,
> request.getUserPrincipal() returns null.
> Is this the correct behaviour?
Yes, it is.
If you look at the Apache FAQ, you'll see why. Even w/ Apache, getRemoteUser() is only valid on protected/restricted pages. Ditto the roles.
This prevents you from doing stuff like "show admin links only if user has Admin role" from the home page of a site using only container-managed security. You have to read out the userroles and stick them in the session and manage roles yourself on non-restricted pages. Yucko.