not the expected behavior. It sounds like sessions are not being kept somehow. Are cookies enabled?
No, this is the expected behavior. A filter initiated login does nothing for the security context in terms of subsequent web requests. It simply establishes the security context for other calls into the app server. You need to use the servlet declarative security model using the web.xml descriptor if you want getUserPrincipal, and isUserInRole calls to work in the web tier.