// expect to fail with `ErrUnsignedHeaders` because couldn't find some header
	_, errCode = extractSignedHeaders(signedHeaders, r)
	if errCode != ErrUnsignedHeaders {
		t.Fatalf("Expected the APIErrorCode to %d, but got %d", ErrUnsignedHeaders, errCode)
	}
	// set headers value through Get parameter
	inputQuery.Add("x-amz-server-side-encryption", xhttp.AmzEncryptionAES)

        FATAL // Connection or session must be terminated
    }

    /**
     * Error categories
     */
    public enum Category {
        AUTHENTICATION, AUTHORIZATION, NETWORK, PROTOCOL, RESOURCE, CONFIGURATION, ENCRYPTION, TIMEOUT, IO, UNKNOWN
    }

    private final int errorCode;
    private final Severity severity;
    private final Category category;
    private final Map<String, Object> context;

import org.mockito.MockedStatic;

class PacTest {

    private Map<Integer, KerberosKey> keys;

    @BeforeEach
    void setUp() {
        keys = new HashMap<>();
        // Use ARCFOUR-HMAC encryption type (23) which matches KERB_CHECKSUM_HMAC_MD5
        KerberosKey serverKey = new KerberosKey(new KerberosPrincipal("******@****.***"), "serverKey1234567".getBytes(),
                PacSignature.ETYPE_ARCFOUR_HMAC, 1);

        verify(mockDelegate).getGuestUsername();
        verify(mockDelegate).getGuestPassword();
        verify(mockDelegate).isAllowGuestFallback();
    }

    @Test
    @DisplayName("Encryption and security configuration should delegate correctly")
    void testEncryptionSecurityDelegation() {
        // Given
        when(mockDelegate.isEncryptionEnabled()).thenReturn(true);

		"Invalid WORM value",
		"Please check the passed value",
		"WORM can only accept `on` and `off` values. To enable WORM, set this value to `on`",
	)

	ErrInvalidConfigDecryptionKey = newErrFn(
		"Incorrect encryption key to decrypt internal data",
		"Please set the correct default KMS key value or the correct root credentials for older MinIO versions.",

    /**
     * Share flag indicating that hash generation V2 is enabled for this share.
     */
    public static final int SMB2_SHAREFLAG_ENABLE_HASH_V2 = 0x4000;
    /**
     * Share flag indicating that encryption is required for this share.
     */
    public static final int SMB2_SHAREFLAG_ENCRYPT_DATA = 0x8000;
    /**
     * Share capability indicating DFS support.
     */

			return -1, errObjectTampered
		}
		return actualSize, nil
	}
	return o.Size, nil
}

// Disabling compression for encrypted enabled requests.
// Using compression and encryption together enables room for side channel attacks.
// Eliminate non-compressible objects by extensions/content-types.
func isCompressible(header http.Header, object string) bool {
	globalCompressConfigMu.Lock()

- `@Secured` annotation with role array (`"admin-user"`, `"admin-user-view"`)
- Role-based query filtering via `RoleQueryHelper`
- Authentication: Local (UserService), LDAP, OIDC, SAML, SPNEGO, Entra ID
- Security features: AES encryption, SHA256 digest, LDAP injection prevention, password policy, rate limiting

## Naming Conventions

| Element | Convention | Example |
|---------|------------|---------|

	// Use the maximum parity (N/2), used when saving server configuration files
	MaxParity bool

	// Provides a per object encryption function, allowing metadata encryption.
	EncryptFn objectMetaEncryptFn

	// SkipDecommissioned set to 'true' if the call requires skipping the pool being decommissioned.
	// mainly set for certain WRITE operations.

	if _, ok := args.ReqParams[xhttp.MinIOSourceReplicationRequest]; ok {
		return
	}

	args.Object.Size, _ = args.Object.GetActualSize()

	// remove sensitive encryption entries in metadata.
	crypto.RemoveSensitiveEntries(args.Object.UserDefined)
	crypto.RemoveInternalEntries(args.Object.UserDefined)

	if globalHTTPListen.NumSubscribers(pubsub.MaskFromMaskable(args.EventName)) > 0 {