{* ../../docs_src/security/tutorial003.py hl[58:66,69:72,90] *}

/// info | 정보

여기서 반환하는 값이 `Bearer`인 추가 헤더 `WWW-Authenticate`도 사양의 일부입니다.

모든 HTTP(오류) 상태 코드 401 "UNAUTHORIZED"는 `WWW-Authenticate` 헤더도 반환해야 합니다.

베어러 토큰의 경우(지금의 경우) 해당 헤더의 값은 `Bearer`여야 합니다.

실제로 추가 헤더를 건너뛸 수 있으며 여전히 작동합니다.

그러나 여기에서는 사양을 준수하도록 제공됩니다.

use of the trademark "Creative Commons" or any other trademark or logo
of Creative Commons without its prior written consent including,
without limitation, in connection with any unauthorized modifications
to any of its public licenses or any other arrangements,
understandings, or agreements concerning use of licensed material. For
the avoidance of doubt, this paragraph does not form part of the

///

## どのように動作するか

リクエストの中に`Authorization`ヘッダーを探しに行き、その値が`Bearer`と何らかのトークンを含んでいるかどうかをチェックし、そのトークンを`str`として返します。

もし`Authorization`ヘッダーが見つからなかったり、値が`Bearer`トークンを持っていなかったりすると、401 ステータスコードエラー (`UNAUTHORIZED`) で直接応答します。

トークンが存在するかどうかをチェックしてエラーを返す必要はありません。関数が実行された場合、そのトークンに`str`が含まれているか確認できます。

インタラクティブなドキュメントですでに試すことができます:

<img src="/img/tutorial/security/image03.png">

public class WitnessSecurityManager {
    public void authenticateWitnessService(InetAddress witnessServer) throws SecurityException {
        // Verify witness service is authorized
        if (!isAuthorizedWitnessServer(witnessServer)) {
            throw new SecurityException("Unauthorized witness server: " + witnessServer);
        }
    }
    
    public void validateNotification(WitnessNotification notification) throws SecurityException {

                final RestStatus status = ((OpenSearchStatusException) cause).status();
                switch (status) {
                case UNAUTHORIZED:
                    logger.warn("[{}] Unauthorized access: {}", i, SystemUtil.getSearchEngineHttpAddress(), cause);
                    break;
                default:

    /** The key of the message: You cannot delete a user who is logged in. */
    public static final String ERRORS_could_not_delete_logged_in_user = "{errors.could_not_delete_logged_in_user}";

    /** The key of the message: Unauthorized request. */
    public static final String ERRORS_unauthorized_request = "{errors.unauthorized_request}";

    /** The key of the message: Failed to print a thread dump. */

  If you do not, you risk allowing unauthorized users to access your apiserver.
  * You *MUST* set `--anonymous-auth=false` flag on your federation apiserver unless you are a developer testing this feature and understand it.
    If you do not, you risk allowing unauthorized users to access your federation apiserver.

  fun unauthorizedResponseHandling() {
    val mockResponse =
      MockResponse(
        code = HttpURLConnection.HTTP_UNAUTHORIZED,
        headers = headersOf("WWW-Authenticate", "challenge"),
        body = "Unauthorized",
      )
    server.enqueue(mockResponse)
    server.enqueue(mockResponse)
    server.enqueue(mockResponse)
    val response = getResponse(newRequest("/"))
    assertThat(response.code).isEqualTo(401)

**Affected Versions**:
  - kube-apiserver v1.32.0 - v1.32.5
  - kube-apiserver v1.33.0 - v1.33.1

**Fixed Versions**:

This release contains changes that address the following vulnerabilities:

### CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

**Affected Versions**:
  - kube-apiserver v1.25.0 - v1.25.3