Because J2EE has not actually defined how JAAS should be used. In general security is under-defined in J2EE. There is a jcp that is being considered for inclusion into j2ee 1.5 that is supposed to define how a container delegates authentication to a provider:
Hopefully that will define how a Subject should be made available, provided that it makes it into j2ee 1.5.
Thanks a lot for the answer Scott.
I am glad to see that my understanding was not totally wrong.
I did notice this JSR but as the spec is not available for download and the activity seems to be fairly low, I could not verified that this will be my answer.
I guess I will just have to wait and create custom principal for now...