When you say the server 'loses' the principal after a few requests, are you sure it has lost it ? One thing that it does do is when calling a web method that doesnt have security constraints, it will return NULL as the userPrincipal etc. It only returns the userPrincipal when the method invoked has security specified on it.
What you can do is store the principal and any roles in the users HttpSession ... since that is around for the duration, and check on it from there ... that way you neednt bother with the overhead of having beans for this.
Maybe this is basic.
During the login action I can store the Subject returned from the LoginContext in the HttpSession. On subsequent requests I'd like to use this Subject to call my stateless session beans.
I cannot figure out how to tell the web layer which Principal to use when calling the EJB layer.