@DisplayName("getUserDomain: derives from KerberosPrincipal in Subject")
        void getUserDomain_fromSubjectPrincipal() {
            Subject subject = new Subject();
            Principal kp = new KerberosPrincipal("******@****.***");
            subject.getPrincipals().add(kp);

            Kerb5Authenticator auth = new Kerb5Authenticator(subject);
            assertEquals("EXAMPLE.COM", auth.getUserDomain());
        }

        });
    }

    /**
     * Test getKeys method when subject has Kerberos keys.
     *
     * @throws LoginException if login fails.
     */
    @Test
    void testGetKeys_WithKeys() throws LoginException {
        Set<Object> privateCredentials = new HashSet<>();
        privateCredentials.add(key1);
        privateCredentials.add(key2);
        when(subject.getPrivateCredentials()).thenReturn(privateCredentials);

                }
            }
        }

        return serverKey;
    }

    /**
     * Returns the authenticated JAAS Subject.
     *
     * @return the authenticated Subject
     */
    public Subject getSubject() {
        return this.subject;
    }

        private final boolean guest;
        private final Subject subject;
        private final boolean failOnRefresh;

        TestCredentials(String domain, boolean anonymous, boolean guest, Subject subject, boolean failOnRefresh) {
            this.domain = domain;
            this.anonymous = anonymous;
            this.guest = guest;
            this.subject = subject;
            this.failOnRefresh = failOnRefresh;
        }

        // Test the cloning behavior with both null and non-null cached subjects
        if (first != null) {
            // If we got a valid subject, test that it's properly cached and cloned
            Subject cachedOrig = orig.getSubject();
            assertNotNull(cachedOrig);

            // Cached subject is copied and visible via getSubject()
            Subject copySubj = copy.getSubject();
            assertNotNull(copySubj);

            throw new SmbException("Context setup failed", e);
        }
    }

    /**
     * Set the Kerberos subject
     *
     * @param subject
     *            the subject to set
     */
    protected void setSubject(Subject subject) {
        this.subject = subject;
    }

    @Override
    public void refresh() throws CIFSException {

            }
            lc.login();

            Subject s = lc.getSubject();
            if (log.isDebugEnabled()) {
                log.debug("Got subject: " + s.getPrincipals());
            }
            if (log.isTraceEnabled()) {
                log.trace("Got subject " + s);
            }

            this.cachedSubject = s;
            return this.cachedSubject;

In case of certificate-based authentication, MinIO has to map the client-provided certificate to an S3 policy. MinIO does this via the subject common name field of the X.509 certificate. So, MinIO will associate a certificate with a subject `CN = foobar` to a S3 policy named `foobar`.

The following self-signed certificate is issued for `consoleAdmin`. So, MinIO would associate it with the pre-defined `consoleAdmin` policy.

    SSPContext createContext(CIFSContext tc, String targetDomain, String host, byte[] initialToken, boolean doSigning) throws SmbException;

    /**
     * Get the security subject associated with these credentials.
     * @return subject associated with the credentials
     */
    Subject getSubject();

    /**
     * Refresh the credentials.
     * @throws CIFSException if refresh fails
     */
    void refresh() throws CIFSException;

	if err := DB.AutoMigrate(&Blog{}, &Tag{}); err != nil {
		t.Fatalf("Failed to auto migrate, got error: %v", err)
	}

	blog := Blog{
		Locale:  "ZH",
		Subject: "subject",
		Body:    "body",
		Tags: []Tag{
			{Locale: "ZH", Value: "tag1"},
			{Locale: "ZH", Value: "tag2"},
		},
	}

	DB.Save(&blog)
	if !compareTags(blog.Tags, []string{"tag1", "tag2"}) {