I have the same problem - no principals are replicated, so user has to authenticate again (session attributes are replicated and visible after authentication). I'm using jboss-4.0.1sp1.
Does anyone know if replication of principals works?
Thanks, Scott - that really helped me and now it works.
By the way - I had problem with request.getRemoteUser() returning null on resources not protected by url-pattern in web.xml.
Found topic on that - may be useful for others: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=9104