The Subject is the more general representation of the authenticated user, but different j2ee layers use different representations. There is no guarentee that you can control the prinipcal available from the ejb/web tiers. You do have more control over the Subject, but really authentication is not standardized in terms of how you do this either. Whatever works currently is the bottom line. When jsr196 is included this should be standardized.