*/
  @Throws(IOException::class)
  fun authenticate(
    route: Route?,
    response: Response,
  ): Request?

  companion object {
    /** An authenticator that knows no credentials and makes no attempt to authenticate. */
    @JvmField
    val NONE: Authenticator = AuthenticatorNone()

    private class AuthenticatorNone : Authenticator {
      override fun authenticate(
        route: Route?,

    }

    /**
     * Redirects an authenticated user to the appropriate admin interface based on their roles.
     * Users with admin roles are redirected to the dashboard, while other users are redirected
     * to their designated admin action class or to the root if no specific action is available.
     *
     * @param user the authenticated user bean containing role information

    */
    int NTLMSSP_REQUEST_TARGET = 0x00000004;

    /**
    * Specifies that communication across the authenticated channel
    * should carry a digital signature (message integrity).
    */
    int NTLMSSP_NEGOTIATE_SIGN = 0x00000010;

    /**
    * Specifies that communication across the authenticated channel
    * should be encrypted (message confidentiality).
    */
    int NTLMSSP_NEGOTIATE_SEAL = 0x00000020;

                    serverKey = (KerberosKey) credential;
                }
            }
        }

        return serverKey;
    }

    /**
     * Returns the authenticated JAAS Subject.
     *
     * @return the authenticated Subject
     */
    public Subject getSubject() {
        return this.subject;
    }

     */
    int NTLMSSP_REQUEST_TARGET = 0x00000004;

    /**
     * Specifies that communication across the authenticated channel
     * should carry a digital signature (message integrity).
     */
    int NTLMSSP_NEGOTIATE_SIGN = 0x00000010;

    /**
     * Specifies that communication across the authenticated channel
     * should be encrypted (message confidentiality).
     */
    int NTLMSSP_NEGOTIATE_SEAL = 0x00000020;

{* ../../docs_src/security/tutorial003_an_py310.py hl[58:66,69:74,94] *}

/// info

The additional header `WWW-Authenticate` with value `Bearer` we are returning here is also part of the spec.

Any HTTP (error) status code 401 "UNAUTHORIZED" is supposed to also return a `WWW-Authenticate` header.

     */
    /**
     * Calls the static {@link #authenticate(HttpServletRequest,
     * HttpServletResponse, byte[])} method to perform NTLM authentication
     * for the specified servlet request.
     *
     * @param req The request being serviced.
     * @param resp The response.
     * @param challenge The domain controller challenge.
     * @return the authenticated NtlmPasswordAuthentication object

	claims.SetAccessKey(accessKey)

	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
	return jwt.SignedString([]byte(secretKey))
}

// Check if the request is authenticated.
// Returns nil if the request is authenticated. errNoAuthToken if token missing.
// Returns errAuthentication for all other errors.
func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, bool, error) {

## Monitoring MinIO in Kubernetes

MinIO server exposes un-authenticated liveness endpoints so Kubernetes can natively identify unhealthy MinIO containers. MinIO also exposes Prometheus compatible data on a different endpoint to enable Prometheus users to natively monitor their MinIO deployments.

### Use cases: external service { #use-cases-external-service }

An example could be that you have an external authentication provider that you need to call.

You send it a token and it returns an authenticated user.

This provider might be charging you per request, and calling it might take some extra time than if you had a fixed mock user for tests.