If PicketLink HTTP security is configured, and Servlet API programmatic login is used, the @Default Principal CDI bean is not updated (like it would be if using standard JavaEE security).

This might break applications being ported to PL HTTP security that rely on the combination of programmatic login and Principal bean.