The check StringUtils.endsWith(principal.getName(), "XWiki." + username) is almost always because:
- username check are not always case sensitive
- username and xwikiname may differ depending of the authentication used
I really wonder what is the real root cause of
XWIKI-3342, and the best would be to find it, since there is initially no reason for the principal store in the user session to differ from the session cookies.
Anyway the fix is not appropriate, and I propose to revert it.
Maybe you should also consider XWIKI-3328.