I was confused about EJBContext.getCallerPrincipal() signature?
Looks like Subject and Principal can both refer to identity. But from following:
A Subject may have many Principals. For example, a person may have a name Principal ("John Doe") and a SSN Principal ("123-45-6789"), which distinguish it from other subjects.
Why not use Subject instead of Principal to identify the caller? In J2ee specifications, we are also talking about Principal, not Subject?
This hasn't made any sense since at least ejb 2.0. At the last JavaOne I asked the sun security guy about it and IIRC he said he might bring it up in a future spec revision.