the trick is to save / restore principal information between subsequent requests, one of the option suggested is:
"In Glassfish, a SAM may instruct the container to register the authentication state (with the session machinery), by adding the following flag to the MessageInfo map.
"com.sun.web.RealmAdapter.register""
[Message sent by forum member 'jszczepankiewicz']