Authenticated but denied access

I'm using Tomcat 5.5 and form-based authentication. I've used authentication many times but this is weird. The problem is that I am able to login but access to the secured resource is denied (code 403). I know I'm logged in because I don't get the form-error-page, but I'm not in the required role. Making a call to request.getUserPrincipal() returns null, and therefore calls to request.isUserInRole("cmsEditor") always returns false. I have other hosts on the same server using the same authentication method and database so there's something about this instance that's causing the problem. The Host element in the server.xml file is the same as the other hosts. The context files and configuration are also the same as the other hosts so I'm completely lost in figuring this out. I also had no luck getting crossContext to work yesterday so I wonder if there isn't a correlation.

server.xml entry:
<Host appBase="${catalina.home}\sites\TEST" name="test"
autoDeploy="true" unpackWARs="true"
xmlNamespaceAware="false" xmlValidation="false">
</Host>

ROOT.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="" reloadable="true">
</Context>

web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/_auth/AuthForm.jsp</form-login-page>
<form-error-page>/_auth/AuthError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Website content editor</description>
<role-name>cmsEditor</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>CMS</web-resource-name>
<url-pattern>/cms/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>cmsEditor</role-name>
</auth-constraint>
</security-constraint>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<error-page>
<error-code>403</error-code>
<location>/error/403.jsp</location>
</error-page>
</web-app>

If getUserPrincipal returns null, you're not logged in, no matter what you may think.

The UserPrincipal object contains your authorization (role) context and your login userId.