For a Servlet to get the Principal of a web user, he will call HttpServletRequest#getUserPrincipal(). According to the docs, this method will return null if the user has not authenticated himself. Makes sense.
If an enterprise java bean (EJB) want to get the Principal of a user, he will make a call to EJBContext#getCallerPrincipal(). However, according to the docs, this method never returns null.
Although I sadly cannot refer to any kind of documentation of exactly what happens when EJBContext#getCallerPrincipal() is called for a user not authenticated, I did my experiment using Glassfish 3.1.2.2 (build 5). It shows that getCallerPrincipal() will indeed return a Principal, and that calling toString() or getName() of this principal both return the string ANONYMOUS. That might be good to know!