.Builder()
        .add("WWW-Authenticate: Basic realm=\"protected area\"")
        .build()
    assertThat(headers.parseChallenges("WWW-Authenticate"))
      .isEqualTo(listOf(Challenge("Basic", mapOf("realm" to "protected area"))))
  }

  @Test fun basicChallengeWithCharset() {
    val headers =
      Headers
        .Builder()
        .add("WWW-Authenticate: Basic realm=\"protected area\", charset=\"UTF-8\"")

* The OpenID Connect authenticator can now use a custom prefix, or omit the default prefix, for username and groups claims through the --oidc-username-prefix and --oidc-groups-prefix flags. For example, the authenticator can map a user with the username "jane" to "google:jane" by supplying the "google:" username prefix. ([#50875](https://github.com/kubernetes/kubernetes/pull/50875),...

}

const (
	minValidityDurationSeconds int = 900
	maxValidityDurationSeconds int = 365 * 24 * 3600
)

// Authenticate authenticates the token with the external hook endpoint and
// returns a parent user, max expiry duration for the authentication and a set
// of claims.
func (o *AuthNPlugin) Authenticate(roleArn arn.ARN, token string) (AuthNResponse, error) {
	if o == nil {
		return AuthNResponse{}, nil
	}

    assertThat(response.body.string()).isEqualTo("ABCABCABC")
  }

  @Test
  fun authenticate() {
    server.enqueue(
      MockResponse(
        code = HttpURLConnection.HTTP_UNAUTHORIZED,
        headers = headersOf("www-authenticate", "Basic realm=\"protected area\""),
        body = "Please authenticate.",
      ),
    )
    server.enqueue(
      MockResponse(body = "Successful auth!"),
    )

        lenient().when(request.isSecure()).thenReturn(true);

        ntlmServlet.service(request, response);

        verify(response).setHeader("WWW-Authenticate", "NTLM");
        verify(response).addHeader("WWW-Authenticate", "Basic realm=\"TestRealm\"");
        verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }

    /**

    @Test
    public void testMultipleSecureWipes() {
        authenticator = new NtlmPasswordAuthenticator("DOMAIN", "username", "password");

        // Multiple wipes should not cause errors
        authenticator.secureWipePassword();
        authenticator.secureWipePassword();
        authenticator.secureWipePassword();

        assertNull(authenticator.getPassword(), "Password should remain null after multiple wipes");
    }

        // Execute
        NtlmPasswordAuthentication result = NtlmSsp.authenticate(mockCifsContext, mockRequest, mockResponse, challenge);

        // Verify
        assertNull(result, "Authentication result should be null");
        verify(mockResponse).setHeader("WWW-Authenticate", "NTLM");
        verify(mockResponse).setStatus(HttpServletResponse.SC_UNAUTHORIZED);

    }

    /**
     * Registers an SSO authenticator with this manager.
     *
     * @param authenticator The SSO authenticator to register
     */
    public void register(final SsoAuthenticator authenticator) {
        if (logger.isInfoEnabled()) {
            logger.info("Loaded SsoAuthenticator: {}", authenticator.getClass().getSimpleName());
        }

- Promoted the feature gate `HonorPVReclaimPolicy` to GA. ([#129583](https://github.com/kubernetes/kubernetes/pull/129583), [@carlory](https://github.com/carlory)) [SIG Apps, Storage and Testing]

@Deprecated
public class NtlmSsp implements NtlmFlags {

    /**
     * Default constructor.
     */
    public NtlmSsp() {
        // Default constructor
    }

    /**
     * Calls the static {@link #authenticate(CIFSContext, HttpServletRequest,
     * HttpServletResponse, byte[])} method to perform NTLM authentication
     * for the specified servlet request.
     *
     * @param tc the CIFS context to use
     *