client =
      client.newBuilder()
        .authenticator(RecordingOkAuthenticator(credential, null))
        .build()
    val body1 =
      MockStreamHandler()
        .sendResponse("please authenticate!\n")
        .requestIOException()
        .exhaustResponse()
    server.enqueue(
      MockResponse.Builder()
        .clearHeaders()
        .code(HttpURLConnection.HTTP_UNAUTHORIZED)

- [EK](#ek): An external secret key - either the SSE-C client-provided key or a secret key generated by the KMS.

#### Content Encryption

  @ArgumentsSource(ProtocolParamProvider::class)
  fun authenticate(
    protocol: Protocol,
    mockWebServer: MockWebServer,
  ) {
    setUp(protocol, mockWebServer)
    server.enqueue(
      MockResponse(
        code = HttpURLConnection.HTTP_UNAUTHORIZED,
        headers = headersOf("www-authenticate", "Basic realm=\"protected area\""),
        body = "Please authenticate.",
      ),
    )
    server.enqueue(

     |
    <server>
      <id>deploymentRepo</id>
      <username>repouser</username>
      <password>repopwd</password>
    </server>
    -->

    <!-- Another sample, using keys to authenticate.
    <server>
      <id>siteServer</id>
      <privateKey>/path/to/private/key</privateKey>
      <passphrase>optional; leave empty if not used.</passphrase>
    </server>
    -->
  </servers>

            }
        }

        formSchemeList.forEach(p -> {
            final FormScheme scheme = p.getFirst();
            final Credentials credentials = p.getSecond();
            scheme.authenticate(credentials, (request, consumer) -> {

                // request header
                for (final Header header : requestHeaderList) {
                    request.addHeader(header);
                }

                throws SmbException, UnknownHostException {
        SmbTransport trans = SmbTransport.getSmbTransport( dc, port );
        trans.connect();
        return trans.server.encryptionKey;
    }
/**
 * Authenticate arbitrary credentials represented by the
 * <tt>NtlmPasswordAuthentication</tt> object against the domain controller
 * specified by the <tt>UniAddress</tt> parameter. If the credentials are

    bytesIn.writeByte(0x7d) // == Literal indexed ==
    // Indexed name (idx = 60) -> "www-authenticate"
    bytesIn.writeByte(0x05) // Literal value (len = 5)
    bytesIn.writeUtf8("Basic")
    hpackReader!!.readHeaders()
    assertThat(hpackReader!!.getAndResetHeaderList())
      .containsExactly(Header("www-authenticate", "Basic"))
  }

  @Test
  fun readLiteralHeaderWithIncrementalIndexingDynamicName() {

（类 `SecurityScopes` 的）`security_scopes` 对象还提供了单字符串类型的属性 `scope_str`，该属性是（要在本例中使用的）用空格分割的作用域。

此处还创建了后续代码中要复用（`raise`）的 `HTTPException` 。

该异常包含了作用域所需的（如有），以空格分割的字符串（使用 `scope_str`）。该字符串要放到包含作用域的 `WWW-Authenticate` 请求头中（这也是规范的要求）。

```Python hl_lines="105  107-115"
{!../../docs_src/security/tutorial005.py!}
```

## 校验 `username` 与数据形状

我们可以校验是否获取了 `username`，并抽取作用域。

The build cache has anonymous read access, so you don't need to authenticate in order to use it. You can use a different build cache node by specifying `-DcacheNode=us` for a build cache node in the US or `-DcacheNode=au` for a build cache node in Australia.

`security_scopes` 🎚 (🎓 `SecurityScopes`) 🚚 `scope_str` 🔢 ⏮️ 👁 🎻, 🔌 👈 ↔ 👽 🚀 (👥 🔜 ⚙️ ⚫️).

👥 ✍ `HTTPException` 👈 👥 💪 🏤-⚙️ (`raise`) ⏪ 📚 ☝.

👉 ⚠, 👥 🔌 ↔ 🚚 (🚥 🙆) 🎻 👽 🚀 (⚙️ `scope_str`). 👥 🚮 👈 🎻 ⚗ ↔ `WWW-Authenticate` 🎚 (👉 🍕 🔌).

```Python hl_lines="105  107-115"
{!../../docs_src/security/tutorial005.py!}
```

## ✔ `username` & 💽 💠

👥 ✔ 👈 👥 🤚 `username`, & ⚗ ↔.