Attached a patch adding RequestHeaderPreAuthenticatedCredentialsFilter into broker-web to allow set principal/subject from the specified request header. This filter can be used to set request credentials with Single Sign-On systems like Siteminder SS0.
Possibly, the better place for the filter could be inside of management plugin, so, it could be used with stand-alone brokers. However, I am not sure about it as the filter adds the potential security hole into the web console. That's why this functionality is implemented as a filter instead of adding the code directly into AbstractServlet.