formData       map[string]string
	}{
		{http.StatusForbidden, credentials.SecretKey, map[string]string{"AWSAccessKeyId": "invalidaccesskey"}},
		{http.StatusForbidden, "invalidsecretkey", map[string]string{"AWSAccessKeyId": credentials.AccessKey}},
		{http.StatusNoContent, credentials.SecretKey, map[string]string{"AWSAccessKeyId": credentials.AccessKey}},
		{http.StatusForbidden, credentials.SecretKey, map[string]string{"Awsaccesskeyid": "invalidaccesskey"}},

			success: false,
		},
		// invalid json.
		{

	if err != nil {
		t.Fatal(err)
	}

        public TestLoginCredentialResolver() {
            super(null); // Pass null since we're mocking
        }

        @Override
        public <CREDENTIAL extends LoginCredential> void resolve(final Class<CREDENTIAL> credentialType,
                final Function<CREDENTIAL, OptionalEntity<FessUser>> oneArgLambda) {
            this.resolveCalled = true;
            this.lastCredentialType = credentialType;

import org.codelibs.fess.util.ComponentUtil;
import org.lastaflute.web.login.credential.LoginCredential;

import com.microsoft.aad.msal4j.IAccount;
import com.microsoft.aad.msal4j.IAuthenticationResult;

/**
 * Azure Active Directory credential implementation for Fess authentication.
 * Provides login credential functionality using Azure AD authentication results.
 */

        };

        // Verify SSO is available
        assertTrue(ssoManager.available());

        // Verify login credential retrieval
        LoginCredential credential = ssoManager.getLoginCredential();
        assertNotNull(credential);
        assertEquals("samluser", ((TestLoginCredential) credential).username);

        // Verify response retrieval

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Secure credential storage with encryption at rest.
 *
 * Provides secure storage of passwords and other sensitive credentials
 * using AES-GCM encryption with PBKDF2 key derivation.
 *
 * Features:
 * - Encrypts credentials at rest using AES-256-GCM
 * - Uses PBKDF2 for key derivation from master password
 * - Secure wiping of sensitive data

			// Unable to parse old JSON simply re-initialize a new one.
			return newServerCfg()
		}
	}

	if !globalCredViaEnv && cfg.Credential.IsValid() {
		// Preserve older credential if we do not have
		// root credentials set via environment variable.
		globalActiveCred = cfg.Credential
	}

	// Init compression config. For future migration, Compression config needs to be copied over from previous version.

func (sys *IAMSys) GetServiceAccount(ctx context.Context, accessKey string) (auth.Credentials, *policy.Policy, error) {
	sa, embeddedPolicy, err := sys.getServiceAccount(ctx, accessKey)
	if err != nil {
		return auth.Credentials{}, nil, err
	}
	// Hide secret & session keys
	sa.Credentials.SecretKey = ""
	sa.Credentials.SessionToken = ""
	return sa.Credentials, embeddedPolicy, nil
}

Use `Response.challenges()` to get the schemes and realms of any authentication challenges. When fulfilling a `Basic` challenge, use `Credentials.basic(username, password)` to encode the request header.