@Override
  public FilterDirector handleResponse(
      HttpServletRequest request, ReadableHttpServletResponse response) {
    FilterDirector myDirector = new FilterDirectorImpl();

    /// The WWW Authenticate header can be used to communicate to the client
    // (since we are a proxy) how to correctly authenticate itself
    final String wwwAuthenticateHeader =
        response.getHeader(CommonHttpHeader.WWW_AUTHENTICATE.toString());

    switch (HttpStatusCode.fromInt(response.getStatus())) {
        // NOTE: We should only mutate the WWW-Authenticate header on a
        // 401 (unauthorized) or 403 (forbidden) response from the origin service
      case UNAUTHORIZED:
      case FORBIDDEN:
        myDirector = updateHttpResponse(myDirector, wwwAuthenticateHeader);
        break;
      case NOT_IMPLEMENTED:
        if ((!StringUtilities.isBlank(wwwAuthenticateHeader)
            && wwwAuthenticateHeader.contains("Delegated"))) {
          myDirector.setResponseStatus(HttpStatusCode.INTERNAL_SERVER_ERROR);
          LOG.error(
              "Repose authentication component is configured as delegetable but origin service does not support delegated mode.");
        } else {
          myDirector.setResponseStatus(HttpStatusCode.NOT_IMPLEMENTED);
        }
        break;
    }

    return myDirector;
  }
    @Test
    public void shouldModifyDelegatedWwwAuthenticateHeaderOn403() {
      when(response.getHeader(CommonHttpHeader.WWW_AUTHENTICATE.toString()))
          .thenReturn("Delegated");
      when(response.getStatus()).thenReturn(403);

      final FilterDirector responseDirector = handler.handleResponse(request, response);

      final String expected = "Keystone uri=" + osauthConfig.getIdentityService().getUri();

      assertEquals(
          "Auth component must pass invalid requests but process their responses",
          expected,
          responseDirector
              .responseHeaderManager()
              .headersToAdd()
              .get(CommonHttpHeader.WWW_AUTHENTICATE.toString())
              .iterator()
              .next());
    }
    @Test
    public void shouldReturn501OnAuth501FailureWithDelegatedWwwAuthenticateHeaderNotSet() {
      when(response.getHeader(CommonHttpHeader.WWW_AUTHENTICATE.toString()))
          .thenReturn("Not-Delegate");
      when(response.getStatus()).thenReturn(501);

      final FilterDirector responseDirector = handler.handleResponse(request, response);

      assertEquals(
          "Auth component must identify proxy auth failures",
          HttpStatusCode.NOT_IMPLEMENTED,
          responseDirector.getResponseStatus());
    }
  private FilterDirector updateHttpResponse(FilterDirector director, String wwwAuthenticateHeader) {
    // If in the case that the origin service supports delegated authentication
    // we should then communicate to the client how to authenticate with us
    if (!StringUtilities.isBlank(wwwAuthenticateHeader)
        && wwwAuthenticateHeader.contains("Delegated")) {
      final String replacementWwwAuthenticateHeader = getWWWAuthenticateHeaderContents();
      director
          .responseHeaderManager()
          .putHeader(
              CommonHttpHeader.WWW_AUTHENTICATE.toString(), replacementWwwAuthenticateHeader);
    } else {
      // In the case where authentication has failed and we did not receive
      // a delegated WWW-Authenticate header, this means that our own authentication
      // with the origin service has failed and must then be communicated as
      // a 500 (internal server error) to the client
      director.setResponseStatus(HttpStatusCode.INTERNAL_SERVER_ERROR);
    }

    return director;
  }