Description of problem: PicketLink's SPFilter does not invoke a security-domain. This means the security-context is not setup properly. This will cause failures when invoking calls like request.getUserPrincipal() or when the web application invokes a secured ejb.
All the SPFilter issues have been rejected, see bz1257676 and bz1166881.