case 1:
            // NTLMv1 - deprecated and insecure
            log.warn("NTLMv1 LM response is deprecated and insecure. Consider using NTLMv2.");
            return NtlmUtil.getPreNTLMResponse(tc, getPasswordAsCharArray(), chlng);
        case 2:
            // NTLMv1 with NTLM response - still insecure
            log.warn("NTLMv1 NTLM response is deprecated and insecure. Consider using NTLMv2.");

    /** Flag to enable load balancing across domain controllers */
    private boolean loadBalance;

    /** Flag to enable basic authentication */
    private boolean enableBasic;

    /** Flag to allow insecure basic authentication */
    private boolean insecureBasic;

    /** The authentication realm */
    private String realm;

    @Override
    public void init(final ServletConfig config) throws ServletException {

        filter.init(filterConfig);

        // Test request over insecure connection
        when(request.getHeader("Authorization")).thenReturn(null);
        when(request.isSecure()).thenReturn(false);
        when(httpSession.getAttribute("NtlmHttpAuth")).thenReturn(null);

        filter.doFilter(request, response, filterChain);

And it should have an `access_token`, with a string containing our access token.

For this simple example, we are going to just be completely insecure and return the same `username` as the token.

/// tip

In the next chapter, you will see a real secure implementation, with password hashing and <abbr title="JSON Web Tokens">JWT</abbr> tokens.

But for now, let's focus on the specific details we need.

///

    /** Flag to enable load balancing across domain controllers */
    private boolean loadBalance;

    /** Flag to enable basic authentication */
    private boolean enableBasic;

    /** Flag to allow insecure basic authentication */
    private boolean insecureBasic;

    /** The authentication realm */
    private String realm;

    /** The CIFS context for transport operations */

    .build();
```

With a server that holds a certificate and a client that trusts it we have enough for an HTTPS
handshake. The best part of this example is that we don't need to make our test code insecure with a
a fake `HostnameVerifier` or `X509TrustManager`.

Certificate Authorities
-----------------------

The above example uses a self-signed certificate. This is convenient for testing but not

func NewRemoteTargetHTTPTransport(insecure bool) func() *http.Transport {
	return xhttp.ConnSettings{
		LookupHost:       globalDNSCache.LookupHost,
		RootCAs:          globalRootCAs,
		CipherSuites:     crypto.TLSCiphersBackwardCompatible(),
		CurvePreferences: crypto.TLSCurveIDs(),
		TCPOptions:       globalTCPOptions,
		EnableHTTP2:      false,
	}.NewRemoteTargetHTTPTransport(insecure)
}

-->

## Introduction {#intro}

Go's emphasis on backwards compatibility is one of its key strengths.
There are, however, times when we cannot maintain complete compatibility.
If code depends on buggy (including insecure) behavior,
then fixing the bug will break that code.
New features can also have similar impacts:
enabling the HTTP/2 use by the HTTP client broke programs
connecting to servers with buggy HTTP/2 implementations.

    private String style;
    /** Flag indicating if credentials were supplied */
    private boolean credentialsSupplied;
    /** Flag to enable basic authentication */
    private boolean enableBasic;
    /** Flag to allow insecure basic authentication */
    private boolean insecureBasic;
    /** The authentication realm */
    private String realm;
    /** The default domain for authentication */
    private String defaultDomain;

    /** Flag indicating if credentials were supplied */
    private boolean credentialsSupplied;
    /** Flag to enable basic authentication */
    private boolean enableBasic;
    /** Flag to allow insecure basic authentication */
    private boolean insecureBasic;
    /** The authentication realm */
    private String realm;
    /** The default domain for authentication */
    private String defaultDomain;