I would think its because your app.jsp is not a secured page with security-constraint in the web.xml.
If the page is not covered with a security-constraint then no active subject is created and then security associations are not set on the thread.
The thing about J2EE security is your user is actively authenticated on every request to a secure page using the credentials cached from the logon method (and cached subjects in the security manager too)
If the page is not security constrainted, it doesnt bother authenticating (and hence request.getUserPrincipal() is null...
Your default page on the other hand probably is secured.
hope this all helps
That was exactly it, thank you very much!!