}

  private fun newEventSource(accept: String? = null): EventSource {
    val builder =
      Request
        .Builder()
        .url(server.url("/"))
    if (accept != null) {
      builder.header("Accept", accept)
    }
    val request = builder.build()
    val factory = createFactory(client)

      }
    }
    return added;
  }

  /**
   * Returns a synchronized (thread-safe) queue backed by the specified queue. In order to guarantee
   * serial access, it is critical that <b>all</b> access to the backing queue is accomplished
   * through the returned queue.
   *
   * <p>It is imperative that the user manually synchronize on the returned queue when accessing the
   * queue's iterator:

* `allow_headers` - Список HTTP-заголовків, які підтримуються для міждоменних запитів. За замовчуванням `[]`. Ви можете використовувати `['*']`, щоб дозволити всі заголовки. Заголовки `Accept`, `Accept-Language`, `Content-Language` і `Content-Type` завжди дозволені для <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" class="external-link" rel="noopener" target="_blank">простих CORS-запитів</a>.

* `allow_headers` - Una lista de headers de request HTTP que deberían estar soportados para requests cross-origin. Por defecto es `[]`. Puedes usar `['*']` para permitir todos los headers. Los headers `Accept`, `Accept-Language`, `Content-Language` y `Content-Type` siempre están permitidos para <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" class="external-link" rel="noopener" target="_blank">requests CORS simples</a>.

            // Then
            assertNotNull(ra1, "Random access with mode should not be null");
            assertNotNull(ra2, "Random access with sharing should not be null");
            assertSame(mockRandomAccess, ra1, "Should return expected random access");
            assertSame(mockRandomAccess, ra2, "Should return expected random access");
        }
    }

    @Nested

* `allow_headers` - A list of HTTP request headers that should be supported for cross-origin requests. Defaults to `[]`. You can use `['*']` to allow all headers. The `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` headers are always allowed for <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" class="external-link" rel="noopener" target="_blank">simple CORS requests</a>.

        RequestParam rp = RequestParam.NO_RETRY;

        // Act: pass to the collaborator
        consumer.accept(rp);

        // Assert: interaction happened exactly once with correct argument; no other calls
        verify(consumer, times(1)).accept(RequestParam.NO_RETRY);
        verifyNoMoreInteractions(consumer);
    }

* `allow_credentials` - 指示跨域请求支持 cookies。默认是 `False`。另外，允许凭证时 `allow_origins` 不能设定为 `['*']`，必须指定源。
* `expose_headers` - 指示可以被浏览器访问的响应头。默认为 `[]`。
* `max_age` - 设定浏览器缓存 CORS 响应的最长时间，单位是秒。默认为 `600`。

中间件响应两种特定类型的 HTTP 请求……

### CORS 预检请求

这是些带有 `Origin` 和 `Access-Control-Request-Method` 请求头的 `OPTIONS` 请求。

        Map<String, List<String>> properties = new HashMap<>();
        properties.put("Accept", Collections.singletonList("application/json"));
        when(mockConnection.getRequestProperties()).thenReturn(properties);
        // Need to mock getRequestProperty as well since it delegates to wrapped connection
        when(mockConnection.getRequestProperty("Accept")).thenReturn("application/json");

        // Act

         5a:d1:35:2d:fc:31:3a:10:e7:0c
```

> Observe the `Subject: CN = consoleAdmin` field.

Also, note that the certificate has to contain the `Extended Key Usage: TLS Web Client Authentication`. Otherwise, MinIO would not accept the certificate as client certificate.

Now, the STS certificate-based authentication happens in 4 steps:

- Client sends HTTP `POST` request over a TLS connection hitting the MinIO TLS STS API.