```Python hl_lines="55-64  67-70  88"
    {!> ../../../docs_src/security/tutorial003_py310.py!}
    ```

!!! 정보
    여기서 반환하는 값이 `Bearer`인 추가 헤더 `WWW-Authenticate`도 사양의 일부입니다.

    모든 HTTP(오류) 상태 코드 401 "UNAUTHORIZED"는 `WWW-Authenticate` 헤더도 반환해야 합니다.

    베어러 토큰의 경우(지금의 경우) 해당 헤더의 값은 `Bearer`여야 합니다.

    실제로 추가 헤더를 건너뛸 수 있으며 여전히 작동합니다.

    그러나 여기에서는 사양을 준수하도록 제공됩니다.

    {!> ../../../docs_src/security/tutorial003.py!}
    ```

!!! info
    Der zusätzliche Header `WWW-Authenticate` mit dem Wert `Bearer`, den wir hier zurückgeben, ist ebenfalls Teil der Spezifikation.

    Jeder HTTP-(Fehler-)Statuscode 401 „UNAUTHORIZED“ soll auch einen `WWW-Authenticate`-Header zurückgeben.

    Im Fall von Bearer-Tokens (in unserem Fall) sollte der Wert dieses Headers `Bearer` lauten.

因此，在端点中，只有当用户存在、通过身份验证、且状态为激活时，才能获得该用户：

```Python hl_lines="58-67  69-72  90"
{!../../../docs_src/security/tutorial003.py!}
```

!!! info "说明"

    此处返回值为 `Bearer` 的响应头 `WWW-Authenticate` 也是规范的一部分。

    任何 401**UNAUTHORIZED**HTTP（错误）状态码都应返回 `WWW-Authenticate` 响应头。

    本例中，因为使用的是 Bearer Token，该响应头的值应为 `Bearer`。

    实际上，忽略这个附加响应头，也不会有什么问题。

    之所以在此提供这个附加响应头，是为了符合规范的要求。

    说不定什么时候，就有工具用得上它，而且，开发者或用户也可能用得上。

    enableProtocol(Protocol.HTTP_2)
    val credential = basic("jesse", "secret")
    client =
      client.newBuilder()
        .authenticator(RecordingOkAuthenticator(credential, null))
        .build()
    val body1 =
      MockStreamHandler()
        .sendResponse("please authenticate!\n")
        .requestIOException()
        .exhaustResponse()
    server.enqueue(
      MockResponse.Builder()
        .clearHeaders()

//
// Therefore, an S3 implementation may encrypt an ETag before storing
// it. In this case, the stored ETag may not be a well-formed S3 ETag.
// For example, it can be larger due to a checksum added by authenticated
// encryption schemes. Such an ETag must be decrypted before sent to an
// S3 client.
//
// # S3 Clients
//
// There are many different S3 client implementations. Most of them

    ```Python hl_lines="55-64  67-70  88"
    {!> ../../../docs_src/security/tutorial003_py310.py!}
    ```

!!! info
    🌖 🎚 `WWW-Authenticate` ⏮️ 💲 `Bearer` 👥 🛬 📥 🍕 🔌.

    🙆 🇺🇸🔍 (❌) 👔 📟 4️⃣0️⃣1️⃣ "⛔" 🤔 📨 `WWW-Authenticate` 🎚.

    💼 📨 🤝 (👆 💼), 💲 👈 🎚 🔜 `Bearer`.

    👆 💪 🤙 🚶 👈 ➕ 🎚 & ⚫️ 🔜 👷.

    ✋️ ⚫️ 🚚 📥 🛠️ ⏮️ 🔧.

	if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
		t.Fatalf("Unable to initialized new signed http request %s", err)
	}
	return req
}

// Tests is requested authenticated function, tests replies for s3 errors.
func TestIsReqAuthenticated(t *testing.T) {
	ctx, cancel := context.WithCancel(GlobalContext)
	defer cancel()

	objLayer, fsDir, err := prepareFS(ctx)
	if err != nil {

			return
		}

		cred := auth.Credentials{
			AccessKey: claims.AccessKey,
			Claims:    claims.Map(),
			Groups:    groups,
		}

		// For authenticated users apply IAM policy.
		if !globalIAMSys.IsAllowed(policy.Args{
			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,
			Action:          policy.PrometheusAdminAction,

  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;

  // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
  // There must be at least one member in this slice.
  // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
  // +listType=atomic
  // Required.
  repeated Subject subjects = 1;