registerWebConfigItems(data);
        });
    }

    /**
     * Displays the form for editing an existing web authentication configuration.
     *
     * @param form the edit form containing web authentication ID
     * @return HTML response for the web authentication edit form
     */
    @Execute
    @Secured({ ROLE })
    public HtmlResponse edit(final EditForm form) {

        return result == 1;
    }

    /** The authentication type */
    private AuthenticationType type;
    /** The authentication domain */
    private String domain;
    /** The username for authentication */
    private String username;
    /** The password for authentication */
    private char[] password;
    /** The client challenge for NTLM authentication */
    private byte[] clientChallenge = null;

    @Size(max = 1000)
    public String spnegoLoginServerModule;

    /** SPNEGO pre-authentication username. */
    @Size(max = 1000)
    public String spnegoPreauthUsername;

    /** SPNEGO pre-authentication password. */
    @Size(max = 1000)
    public String spnegoPreauthPassword;

    /** Enable or disable SPNEGO basic authentication. */
    @Size(max = 10)
    public String spnegoAllowBasic;

                be `None`.

                This is useful when you want to have optional authentication.

                It is also useful when you want to have authentication that can be
                provided in one of multiple optional ways (for example, with OAuth2
                or in a cookie).
                """
            ),
        ] = True,
    ):
        self.model = OAuth2Model(

 *
 * This class provides Single Sign-On (SSO) authentication using the SPNEGO protocol,
 * which is commonly used for Kerberos-based authentication in Windows environments.
 * It handles the negotiation between client and server to establish a secure
 * authentication context without requiring users to explicitly enter credentials.
 *

                This is useful when you want to have optional authentication.

                It is also useful when you want to have authentication that can be
                provided in one of multiple optional ways (for example, in HTTP Basic
                authentication or in an HTTP Bearer token).
                """
            ),
        ] = True,
    ):

                TimeUnit.MILLISECONDS);

        log.info("Authentication rate limiter initialized: maxAccount={}, maxIp={}, maxGlobal={}/min", maxAttemptsPerAccount,
                maxAttemptsPerIp, maxGlobalAttemptsPerMinute);
    }

    /**
     * Check if authentication attempt is allowed
     *
     * @param username the username attempting authentication
     * @param sourceIp the source IP address

coredns_path     (path)      shared bucket DNS records, default is "/skydns"
client_cert      (path)      client cert for mTLS authentication
client_cert_key  (path)      client cert key for mTLS authentication
comment          (sentence)  optionally add a comment to this setting
```

or environment variables

```
KEY:

        // Authentication errors
        AUTHENTICATION_FAILED("Authentication failed", ErrorCategory.AUTHENTICATION, false), ACCESS_DENIED("Access denied",
                ErrorCategory.AUTHENTICATION, false), INVALID_CREDENTIALS("Invalid credentials", ErrorCategory.AUTHENTICATION,
                        false), SESSION_EXPIRED("Session expired", ErrorCategory.AUTHENTICATION, true),

        // File system errors

        verify(response).setHeader("WWW-Authenticate", "NTLM");
        verify(response).flushBuffer();
    }

    /**
     * Test doGet with NTLM authentication for directory listing
     * This test verifies the authentication flow without actual network operations
     */
    @Test
    void testDoGet_DirectoryListing() throws Exception {