Whose responsibility is it to call Principal Validator's validate-method?

I'm evaluating the sample security providers and the default security providers.
I manually add a new principal to the Subject in my JSP-code. It goes in with
no problems and the following authorization checks (isAccessAllowed) go also well.

So, why isn't the Principal Validator called? Who should call it? Security framework
or the authorization provider, when making an authorization decision?

How can I make sure it's called and prevent malicious code from tampering with
the subject _inside the server_ ?

I do not wish to lock the subject with Subject.setReadOnly(), because it's useful
to be able to alter it in some occasions inside the security providers.