[Kerberos] Add support for list of auth challenge

[bizybot]

Till now we had support for 'Basic', 'Bearer' auth schemes and
this was sufficient for us to reply WWW-Authenticate header
with one value either for Basic or Bearer for unauthorized
access.
After introducing Kerberos we will be supporting Negotiate scheme.
As per RFC7235,
we may respond with the list of challenges. This list is of auth
schemes supported by the server. We can also have custom Realms
defining their own response header value for 'WWW-Authenticate'
header. This commit introduces a getWWWAuthenticateHeaderValue
in Realm to identify the scheme which it wants to use. By default,
it uses 'Basic' auth scheme. This can be overridden
by realms like KerberosRealm to specify 'Negotiate' scheme or OAuth
to specify 'Bearer' or custom realms added by security extensions to
specify their own scheme.
SAML specifications do not specify anything related to the header but
unofficially many have used 'SAML' as auth scheme or used 'Bearer'
auth scheme for passing SAML tokens.
But most of the realms would use the existing schemes
like 'Basic', 'Digest', 'Bearer', 'Negotiate' etc.
At the startup, Security#createComponents will take care of
creating DefaultAuthenticationFailureHandler with default
response header values for 'WWW-Authenticate' as a list of configured
and enabled auth schemes.

[elasticmachine]

Pinging @elastic/es-security

[bizybot]

This deprecated default constructor is added to not break security extensions.

[tvernum]

I know I normally lean towards "just build what you need", but this method feels way too specific to me.
Did you consider a getAuthenticationFailureHeaders() method instead?

[bizybot]

Thank you for the suggestion yes, you right it's too specific and I also felt it should return a List of supported schemes. Usually, the authentication failure response headers will be populated in the ElasticsearchSecurityException and the method name you suggested might confuse. How about getSupportedAuthenticateChallenges instead? or any other suggestion. Thanks.

[jaymode]

Did you consider a getAuthenticationFailureHeaders() method instead?

+1. I feel like this is the way to go. Ultimately this might allow us to remove the authentication failure handler (way off low priority future idea)

[bizybot]

ok, are we thinking of letting the realms drive everything? Because I do see the value in it. Current flow makes us look at the code all over to see where the exception was populated whether it was populated with right headers, that too outside the realm if not then add those headers. I will make it a generic name as suggested. But would like to know more on what other headers do you foresee that needs to be sent and might be the realm driven?

[tvernum]

I think it makes sense to let the realms handle this.
I don't know what other headers we could expect - but that's kind of the point, we can just support a relatively generic method and let custom realms do whatever they need. My guess is that anything other than WWW-Authenticate would be due to weird proprietary protocols, but if they exist then we can support them.

[bizybot]

Hi @jaymode, @tvernum I have addressed your review comments. Please take a look when you get some time. Thank you.

[jaymode]

I left some minor comments. Otherwise this change LGTM

[jaymode]

just use Collections.singletonMap

[jaymode]

complete the thought, configured where?

[jaymode]

Use Collections.singletonMap here and Collections.singletonList