ContextHolder should be null unless the web container is actually processing a request for the principal. Can you get the authentication from the HttpSession?