...
The algorithm of the servlet is roughly:
If subjectAttribute is set, check it for a Java Subject to use. If found, it will be returned through the External Authentication interface and all the other settings are ignored.
Otherwise, check for a principal name as directed by the settings, in REMOTE_USER, attributes, and headers (in that order). If not found, authentication fails.
If authnMethodHeader is set, check each value to see if the associated login flow supports a custom Principal matching the value in the header, and if so, attach that Principal to the Subject returned through the External Authentication interface. Note that if the header contains a value not supported by the associated login flow, it will be logged, but otherwise not impact the success of this flow. By the time this feature is executing, it's already a given that the result was successful.
If you need something different from this, your best option is to use the External login flow and possibly adapt the existing servlet as an example to copy from for your own purposes. In all respects, this flow is simply a more concrete use of the External flow.
...