To follow up, what it sounds like is happening is that when you log in through the console (and use the admin password), you basically get to keep that Principal and Role(s) throughout the deploy and started process. That's why you see the system user during a admin deploy.
Then, obviously, when you run as a normal user, you see their credentials as well.
But when the container starts up fresh and new, "no one" is logged, so RunAs is completely doomed out the gate.
So. raharsha is suggesting you log in implicitly using ProgrammaticLogin, thus forcing the issue.
[Message sent by forum member 'whartung' (whartung)]
http://forums.java.net/jive/thread.jspa?messageID=236268