The exception is correct. According to the EJB Spec you're not allowed to call getCallerPrincipal from within the ejbCreate method of stateless SB.
Since a SLSB instance can be used by multiple clients and the creation (ejbCreate) of an instance doesn't need to correspond to a create call from the client, the caller identity wouldn't be very useful anyway.
That makes perfect sense, Harald. Thank you very much!