HTTP header based authentication is used when an organization is authenticating the user from third party security solution, for example, SiteMinder.
In Figure1, when a user gets successfully authenticated, it sends a user-id to CQ via HTTP header. [The syntax of this header can either be in the syntax defined for HTTP Basic Authentication, plain, or extractable by a Regular Expression]. Since the valid user has already been authenticated by the security solution, CQ is receiving the validated request as shown in figure. CQ assumes that the user has already been authenticated. CQ never sees the password or other credentials and would have no way of authenticating the user independently.