Mmmm... error caused by.... me!
For the sake of others, here is what was wrong:
I am using custom Group and Principal implementations. When the authorization check is done in the EJB container a SimplePrincipal object is passed to the isMember method of Group and not my custom Principal. The objects contained in the Group are custom Principals, thus care must be taken when comparison is done to not let the different classes get in the way. The name is what you care about.