uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          # For discussion, see the first setup-java block.
          # The generate-docs workflow doesn't run tests, so we don't have to care which version Maven would select for that step.
          # But we need Java 11 for JDiff.
          java-version: |
            11
            24
          distribution: 'temurin'

  // https://publicobject.com (Comodo) and https://squareup.com (Entrust). But they aren't
  // sufficient to connect to most HTTPS sites including https://godaddy.com and https://visa.com.
  // Typically developers will need to get a PEM file from their organization's TLS administrator.
  val comodoRsaCertificationAuthority =
    """
    -----BEGIN CERTIFICATE-----
    MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB

    if (localValue != null & notInstanceOfDelegatingToFuture(localValue)) {
      return getDoneValue(localValue);
    }
    // we delay calling nanoTime until we know we will need to either park or spin
    long endNanos = remainingNanos > 0 ? System.nanoTime() + remainingNanos : 0;
    long_wait_loop:
    if (remainingNanos >= SPIN_THRESHOLD_NANOS) {
      Waiter oldHead = waitersField;

        }

        // Check if key rotation is needed (including the current message)
        if (needsKeyRotation(message.length)) {
            log.warn("Encryption keys need rotation - will exceed usage limits (bytes: {} + {}, time: {} ms)", bytesEncrypted.get(),
                    message.length, System.currentTimeMillis() - encryptionStartTime);

Then, the browser will send an HTTP `OPTIONS` request to the `:80`-backend, and if the backend sends the appropriate headers authorizing the communication from this different origin (`http://localhost:8080`) then the `:8080`-browser will let the JavaScript in the frontend send its request to the `:80`-backend.

To achieve this, the `:80`-backend must have a list of "allowed origins".

        // Setup
        TestLoginCredential credential = new TestLoginCredential("user", "pass");
        authenticator.setLoginCredential(credential);

        HtmlResponse metadataResponse = null; // Would need proper LastaFlute context to create
        authenticator.setResponseForType(SsoResponseType.METADATA, metadataResponse);

        String logoutUrl = "https://sso.example.com/logout";

# Custom Response - HTML, Stream, File, others { #custom-response-html-stream-file-others }

By default, **FastAPI** will return the responses using `JSONResponse`.

You can override it by returning a `Response` directly as seen in [Return a Response directly](response-directly.md){.internal-link target=_blank}.

                    resp.setContentType("text/html");
                    doDirectory(req, resp, smbFile);
                } else {
                    // Send 401
                    resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                    resp.setHeader("WWW-Authenticate", "NTLM");
                    resp.flushBuffer();
                }
            }

      this.failure = failure;
    }

    /**
     * @see Service#state()
     */
    State externalState() {
      if (shutdownWhenStartupFinishes && state == STARTING) {
        return STOPPING;
      } else {
        return state;
      }
    }

    /**
     * @see Service#failureCause()
     */
    Throwable failureCause() {
      checkState(

The application would process the request and send a **plain (unencrypted) HTTP response** to the TLS Termination Proxy.

<img src="/img/deployment/https/https06.drawio.svg">

### HTTPS Response { #https-response }

The TLS Termination Proxy would then **encrypt the response** using the cryptography agreed before (that started with the certificate for `someapp.example.com`), and send it back to the browser.