- **Secure Key Management**: Proper key derivation and nonce generation

### Core Features
- **Per-context configuration**: No global state, each context encapsulates configuration
- **Authentication**: NTLM, Kerberos, SPNEGO unified subsystem
- **SLF4J Logging**: Comprehensive logging throughout the codebase
- **Resource Management**: AutoCloseable patterns for file handles and connections
- **Thread Safety**: Components support concurrent access

import jcifs.CIFSException;
import jcifs.Configuration;
import jcifs.spnego.NegTokenInit;

@ExtendWith(MockitoExtension.class)
class Kerb5AuthenticatorTest {

    @Mock
    CIFSContext tc;

    @Mock
    Configuration config;

    private static byte[] spnegoInitWithMechs(ASN1ObjectIdentifier... mechs) {
        // Build a minimal SPNEGO NegTokenInit containing the provided mechanisms

 *
 * This interface defines the contract for SSO authentication providers that can be
 * integrated with Fess. Implementations handle specific SSO protocols like SAML,
 * OAuth, SPNEGO, or other authentication mechanisms. Each authenticator is responsible
 * for obtaining login credentials, resolving user information, and managing SSO
 * lifecycle operations like logout and metadata exchange.
 */

 * scattered authentication implementations.
 */
public interface AuthenticationProvider {

    /**
     * Authentication type enumeration
     */
    enum AuthType {
        NTLM, KERBEROS, SPNEGO, GUEST, ANONYMOUS
    }

    /**
     * Gets the authentication type
     *
     * @return the authentication type
     */
    AuthType getAuthType();

    /**

    protected boolean allowNTLMFallback = true;
    /** Whether to use raw NTLM authentication without SPNEGO */
    protected boolean useRawNTLM = false;
    /** Whether to disable SPNEGO integrity checking */
    protected boolean disableSpnegoIntegrity = false;
    /** Whether to enforce SPNEGO integrity checking */
    protected boolean enforceSpnegoIntegrity = true;
    /** Whether plain text passwords are disabled */

     *
     * @return whether to disable sending/verifying SPNEGO mechanismListMIC
     */
    boolean isDisableSpnegoIntegrity();

    /**
     *
     * Property {@code jcifs.smb.client.enforceSpnegoIntegrity} (boolean, false)
     *
     * @return whether to enforce verifying SPNEGO mechanismListMIC
     */
    boolean isEnforceSpnegoIntegrity();

    /**

            }
        } else {
            server.guid = new byte[16];
            System.arraycopy(buffer, bufferIndex, server.guid, 0, 16);
            server.oemDomainName = new String();
            // ignore SPNEGO token for now ...
        }

        return bufferIndex - start;
    }

    @Override
    public String toString() {

import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import jcifs.CIFSException;
import jcifs.spnego.NegTokenInit;

/**
 * This class used to provide Kerberos feature when setup GSSContext.
 *
 * @author Shun
 */
class Kerb5Context implements SSPContext {

import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import jcifs.CIFSContext;
import jcifs.CIFSException;
import jcifs.spnego.NegTokenInit;

/**
 * Base kerberos authenticator
 *
 * Uses a subject that contains kerberos credentials for use in GSSAPI context establishment.
 *

            bufferIndex += this.server.guid.length;
            this.server.oemDomainName = new String();

            if (this.byteCount > 16) {
                // have initial spnego token
                this.server.encryptionKeyLength = this.byteCount - 16;
                this.server.encryptionKey = new byte[this.server.encryptionKeyLength];