## Authentication Flow

A client can request temp. S3 credentials via the STS API. It can authenticate via a client certificate and obtain a access/secret key pair as well as a session token. These credentials are associated to an S3 policy at the MinIO server.

- Methods with `@Execute` are web endpoints
- DI via `@Resource` annotation
- `HtmlResponse` for JSP, `JsonResponse` for APIs

### Services
- Business logic in `app.service.*`
- Injected into Actions
- Use behavior classes to access OpenSearch

### Helpers
- Cross-cutting utilities in `helper.*`
- Stateless, injected via DI
- Access via `ComponentUtil.getFooHelper()`

## Development Notes

- **Google Site Search (GSS) / Google Custom Search (CSE)** - JavaScript replacement
- **Elasticsearch / OpenSearch** - Direct data migration via bulk APIs
- **Apache Solr** - Document import via REST API
- **Database Systems** - Direct connection via DataStore plugins
- **File Systems** - SMB, FTP, local file crawling
- **Custom Systems** - REST API for bulk document indexing

---

## Pre-Migration Planning

    class EdgeCases {

        @Test
        @DisplayName("Null name is allowed via mock")
        void nullName() {
            FileEntry mock = mock(FileEntry.class);
            when(mock.getName()).thenReturn(null);
            assertNull(mock.getName());
        }

        @Test
        @DisplayName("Negative length is allowed via mock")
        void negativeLength() {
            FileEntry mock = mock(FileEntry.class);

MinIO now supports starting the server arguments and configuration via a YAML configuration file. This YAML configuration describes everything that can be configured in a MinIO setup, such as '--address', '--console-address' and command line arguments for the MinIO server.

- `volatile` for status flags
- Synchronized blocks for critical sections
- Thread-local storage via `CrawlingParameterUtil`

**Resource Management**:
- `AutoCloseable` throughout
- `DeferredFileOutputStream` for large responses (temp files for >1MB)
- Connection pooling with limits
- Background temp file deletion via `FileUtil.deleteInBackground()`

**Fault Tolerance**:
- `FaultTolerantClient` wrapper (retry, circuit breaker)

- All sites must be using the **same** external IDP(s) if any.
- For [SSE-S3 or SSE-KMS encryption via KMS](https://docs.min.io/community/minio-object-store/operations/server-side-encryption.html "MinIO KMS Guide"), all sites **must**  have access to a central KMS deployment. This can be achieved via a central KES server or multiple KES servers (say one per site) connected via a central KMS (Vault) server.

## Configuring Site Replication

export MINIO_STORAGE_CLASS_STANDARD=EC:3
export MINIO_STORAGE_CLASS_RRS=EC:2
```

Storage class can also be set via `mc admin config` get/set commands to update the configuration. Refer [storage class](https://github.com/minio/minio/tree/master/docs/config#storage-class) for
more details.

#### Note

        // Absent key -> CIFSException
        CIFSException noKey = assertThrows(CIFSException.class, session::getSessionKey);
        assertTrue(noKey.getMessage().contains("No session key"));

        // Set a key via reflection and verify retrieval
        byte[] key = new byte[] { 1, 2, 3, 4 };
        setField(session, "sessionKey", key);
        assertArrayEquals(key, session.getSessionKey());
    }

    @Test

        } catch (NoSuchFieldException | IllegalAccessException e) {
            throw new RuntimeException("Failed to access protected fields via reflection", e);
        }

        // Since SamrOpenAlias's constructor parameters are not directly exposed via getters in MsrpcSamrOpenAlias,
        // we cannot directly verify them here without reflection or extending SamrOpenAlias for testing.