I am very interested in this too. I am trying to build in authentication into my webapp. It apears that the subject is lost between requests. I thought, once authenticated a subject lasts for teh duration of the session. In my scenario I invoke a prtected JSP and am taken to my form based log on age. I log on no problem. I now invoke an unprotected page. I try and access the subject but a null is return. When I again invoke a protected page I am asked to log on again! Surely this is teh incorrect behaviour.
Read the JAAS howto where it talks about the web tier security integration. Unless you are under a uri secured via a security constraint there does not have to be a principal associated with the request.