content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: Unauthorized request
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Page not found
      content:
        application/json:
          schema:

        ApiResult badRequestResult = new ApiResult.ApiResponse().status(Status.BAD_REQUEST).result();
        assertNotNull(badRequestResult);

        // Test UNAUTHORIZED status
        ApiResult unauthorizedResult = new ApiResult.ApiResponse().status(Status.UNAUTHORIZED).result();
        assertNotNull(unauthorizedResult);

        // Test FAILED status

    /**
     * Pre-processes API requests by checking access authorization before executing the action.
     * If access is not allowed, returns an unauthorized error response.
     *
     * @param runtime the action runtime context containing request information
     * @return ActionResponse with unauthorized error if access denied, otherwise delegates to parent
     */
    @Override
    public ActionResponse godHandPrologue(final ActionRuntime runtime) {

    val response =
      Response
        .Builder()
        .request(request)
        .code(401)
        .header("WWW-Authenticate", "Basic realm=\"User Visible Realm\"")
        .protocol(HTTP_2)
        .message("Unauthorized")
        .build()
    val authRequest = authenticator.authenticate(route, response)

    assertEquals(
      "Basic ${RecordingAuthenticator.BASE_64_CREDENTIALS}",
      authRequest!!.header("Authorization"),

    public ApiResponse handleApplicationException(final ApiFailureResource resource, final RuntimeException cause) {
        if (cause instanceof LoginUnauthorizedException) {
            return asJson(createFailureBean(Status.UNAUTHORIZED, "Unauthorized request.")).httpStatus(HTTP_UNAUTHORIZED);
        }
        return asJson(createFailureBean(Status.BAD_REQUEST, createMessage(resource, cause))).httpStatus(HTTP_BAD_REQUEST);
    }

        // Full NTLM handshake testing would require more complex mocking

        // Arrange - Mock a server that supports NTLM
        mockResponse(HTTP_UNAUTHORIZED, "Unauthorized", Collections.singletonMap("WWW-Authenticate", Collections.singletonList("NTLM")),
                new ByteArrayInputStream(new byte[0]));

        // Act - Trigger handshake

        assertDoesNotThrow(() -> ntlmServlet.init(servletConfig));
    }

    /**
     * Test the service method when no Authorization header is present and no session exists.
     * Expects a 401 Unauthorized response with NTLM and Basic authentication challenges.
     * @throws ServletException
     * @throws IOException
     */
    @Test
    void testService_NoAuthHeader_NoSession() throws ServletException, IOException {

  /**
   * Returns the RFC 7235 authorization challenges appropriate for this response's code. If the
   * response code is 401 unauthorized, this returns the "WWW-Authenticate" challenges. If the
   * response code is 407 proxy unauthorized, this returns the "Proxy-Authenticate" challenges.
   * Otherwise this returns an empty list of challenges.
   *

For the simplest cases, you can use HTTP Basic Auth.

In HTTP Basic Auth, the application expects a header that contains a username and a password.

If it doesn't receive it, it returns an HTTP 401 "Unauthorized" error.

And returns a header `WWW-Authenticate` with a value of `Basic`, and an optional `realm` parameter.

That tells the browser to show the integrated prompt for a username and password.

///

## ⚫️❔ ⚫️ 🔨

⚫️ 🔜 🚶 & 👀 📨 👈 `Authorization` 🎚, ✅ 🚥 💲 `Bearer ` ➕ 🤝, & 🔜 📨 🤝 `str`.

🚥 ⚫️ 🚫 👀 `Authorization` 🎚, ⚖️ 💲 🚫 ✔️ `Bearer ` 🤝, ⚫️ 🔜 📨 ⏮️ 4️⃣0️⃣1️⃣ 👔 📟 ❌ (`UNAUTHORIZED`) 🔗.

👆 🚫 ✔️ ✅ 🚥 🤝 🔀 📨 ❌. 👆 💪 💭 👈 🚥 👆 🔢 🛠️, ⚫️ 🔜 ✔️ `str` 👈 🤝.

👆 💪 🔄 ⚫️ ⏪ 🎓 🩺:

<img src="/img/tutorial/security/image03.png">

👥 🚫 ✔ 🔬 🤝, ✋️ 👈 ▶️ ⏪.

## 🌃