The problem got resolved (i.e principals were returned consistently even after many deploy/redeploy) after security-constraints were added to web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ANYONE</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured resources</web-resource-name>
<url-pattern>/login/*</url-pattern>
<url-pattern>/css/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/javascript/*</url-pattern>
</web-resource-collection>
</security-constraint>
[Message sent by forum member 'srrampi' ]
http://forums.java.net/jive/thread.jspa?messageID=376162