/**
     * Pre-processes API requests by checking access authorization before executing the action.
     * If access is not allowed, returns an unauthorized error response.
     *
     * @param runtime the action runtime context containing request information
     * @return ActionResponse with unauthorized error if access denied, otherwise delegates to parent
     */
    @Override
    public ActionResponse godHandPrologue(final ActionRuntime runtime) {

        ApiResult badRequestResult = new ApiResult.ApiResponse().status(Status.BAD_REQUEST).result();
        assertNotNull(badRequestResult);

        // Test UNAUTHORIZED status
        ApiResult unauthorizedResult = new ApiResult.ApiResponse().status(Status.UNAUTHORIZED).result();
        assertNotNull(unauthorizedResult);

        // Test FAILED status

    val response =
      Response
        .Builder()
        .request(request)
        .code(401)
        .header("WWW-Authenticate", "Basic realm=\"User Visible Realm\"")
        .protocol(HTTP_2)
        .message("Unauthorized")
        .build()
    val authRequest = authenticator.authenticate(route, response)

    assertEquals(
      "Basic ${RecordingAuthenticator.BASE_64_CREDENTIALS}",
      authRequest!!.header("Authorization"),

    public ApiResponse handleApplicationException(final ApiFailureResource resource, final RuntimeException cause) {
        if (cause instanceof LoginUnauthorizedException) {
            return asJson(createFailureBean(Status.UNAUTHORIZED, "Unauthorized request.")).httpStatus(HTTP_UNAUTHORIZED);
        }
        return asJson(createFailureBean(Status.BAD_REQUEST, createMessage(resource, cause))).httpStatus(HTTP_BAD_REQUEST);
    }

For the simplest cases, you can use HTTP Basic Auth.

In HTTP Basic Auth, the application expects a header that contains a username and a password.

If it doesn't receive it, it returns an HTTP 401 "Unauthorized" error.

And returns a header `WWW-Authenticate` with a value of `Basic`, and an optional `realm` parameter.

That tells the browser to show the integrated prompt for a username and password.

///

## ⚫️❔ ⚫️ 🔨

⚫️ 🔜 🚶 & 👀 📨 👈 `Authorization` 🎚, ✅ 🚥 💲 `Bearer ` ➕ 🤝, & 🔜 📨 🤝 `str`.

🚥 ⚫️ 🚫 👀 `Authorization` 🎚, ⚖️ 💲 🚫 ✔️ `Bearer ` 🤝, ⚫️ 🔜 📨 ⏮️ 4️⃣0️⃣1️⃣ 👔 📟 ❌ (`UNAUTHORIZED`) 🔗.

👆 🚫 ✔️ ✅ 🚥 🤝 🔀 📨 ❌. 👆 💪 💭 👈 🚥 👆 🔢 🛠️, ⚫️ 🔜 ✔️ `str` 👈 🤝.

👆 💪 🔄 ⚫️ ⏪ 🎓 🩺:

<img src="/img/tutorial/security/image03.png">

👥 🚫 ✔ 🔬 🤝, ✋️ 👈 ▶️ ⏪.

## 🌃

# HTTP Basic Auth

Para los casos más simples, puedes usar HTTP Basic Auth.

En HTTP Basic Auth, la aplicación espera un header que contiene un nombre de usuario y una contraseña.

Si no lo recibe, devuelve un error HTTP 401 "Unauthorized".

Y devuelve un header `WWW-Authenticate` con un valor de `Basic`, y un parámetro `realm` opcional.

Eso le dice al navegador que muestre el prompt integrado para un nombre de usuario y contraseña.

Bei HTTP Basic Auth erwartet die Anwendung einen Header, der einen Benutzernamen und ein Passwort enthält.

Wenn sie diesen nicht empfängt, gibt sie den HTTP-Error 401 „Unauthorized“ zurück.

Und gibt einen Header `WWW-Authenticate` mit dem Wert `Basic` und einem optionalen `realm`-Parameter („Bereich“) zurück.

If it doesn't see an `Authorization` header, or the value doesn't have a `Bearer ` token, it will respond with a 401 status code error (`UNAUTHORIZED`) directly.

You don't even have to check if the token exists to return an error. You can be sure that if your function is executed, it will have a `str` in that token.

You can try it already in the interactive docs:

        // Test creating multiple exceptions with different status codes
        WebApiException exception1 = new WebApiException(400, "Bad Request");
        WebApiException exception2 = new WebApiException(401, "Unauthorized");
        WebApiException exception3 = new WebApiException(500, "Internal Error");

        assertEquals(400, exception1.getStatusCode());
        assertEquals(401, exception2.getStatusCode());