verify(response).setHeader("WWW-Authenticate", "NTLM");
        verify(response).flushBuffer();
    }

    /**
     * Test doGet with NTLM authentication for directory listing
     * This test verifies the authentication flow without actual network operations
     */
    @Test
    void testDoGet_DirectoryListing() throws Exception {

coredns_path     (path)      shared bucket DNS records, default is "/skydns"
client_cert      (path)      client cert for mTLS authentication
client_cert_key  (path)      client cert key for mTLS authentication
comment          (sentence)  optionally add a comment to this setting
```

or environment variables

```
KEY:

     * @since 3.0-beta-1
     */
    boolean isProjectAware();

    /**
     * @param authentication authentication
     * @since 3.0-alpha-3
     */
    void setAuthentication(Authentication authentication);

    /**
     * @return repository authentication
     * @since 3.0-alpha-3
     */
    Authentication getAuthentication();

    /**
     * @param proxy proxy
     * @since 3.0-alpha-3

        }

        // Authentication
        final Authentication[] siteCredentialList =
                getInitParameter(AUTHENTICATIONS_PROPERTY, new Authentication[0], Authentication[].class);
        final List<Pair<FormScheme, Credentials>> formSchemeList = new ArrayList<>();
        for (final Authentication authentication : siteCredentialList) {

## Introduction

MinIO provides a custom STS API that allows authentication with client X.509 / TLS certificates.

A major advantage of certificate-based authentication compared to other STS authentication methods, like OpenID Connect or LDAP/AD, is that client authentication works without any additional/external component that must be constantly available. Therefore, certificate-based authentication may provide better availability / lower operational complexity.

/**
 * SPNEGO response token (NegTokenTarg) used in SPNEGO authentication exchanges
 */
public class NegTokenTarg extends SpnegoToken {

    /**
     * Result code indicating unspecified result
     */
    public static final int UNSPECIFIED_RESULT = -1;
    /**
     * Result code indicating authentication completed successfully
     */
    public static final int ACCEPT_COMPLETED = 0;
    /**

    }

    /**
     * Gets the signature or authentication tag for the encrypted message
     *
     * @return the signature/authentication tag
     */
    public byte[] getSignature() {
        return this.signature;
    }

    /**
     * Sets the signature or authentication tag for the encrypted message
     *
     * @param signature
     *            the signature/authentication tag to set
     */

        repositorySystem.injectAuthentication(Arrays.asList(repository), Arrays.asList(server));
        Authentication authentication = repository.getAuthentication();
        assertNotNull(authentication);
        assertEquals("jason", authentication.getUsername());
        assertEquals("abc123", authentication.getPassword());
    }

 *
 * ### Server Authentication
 *
 * This is the most common form of TLS authentication: clients verify that servers are trusted and
 * that they own the hostnames that they represent. Server authentication is required.
 *
 * To perform server authentication:
 *
 *  * The server's handshake certificates must have a [held certificate][HeldCertificate] (a

                buf.append(port);
            }
            buf.append('/');
        }
        return buf.toString();
    }

    /**
     * Returns the NTLM password authentication.
     * @return The NTLM password authentication.
     */
    public NtlmPasswordAuthentication getAuthentication() {
        return new NtlmPasswordAuthentication(domain == null ? "" : domain, username, password);
    }

    /**