This class is used to parse the information in WWW-Authenticate: and Proxy-Authenticate: headers. It searches among multiple header lines and within each header line for the best currently supported scheme. It can also return a HeaderParser containing the challenge data for that particular scheme. Some examples: WWW-Authenticate: Basic realm="foo" Digest realm="bar" NTLM Note the realm parameter must be associated with the particular scheme. or WWW-Authenticate: Basic realm="foo" WWW-Authenticate: Digest realm="foo",qop="auth",nonce="thisisanunlikelynonce" WWW-Authenticate: NTLM or WWW-Authenticate: Basic realm="foo" WWW-Authenticate: NTLM ASKAJK9893289889QWQIOIONMNMN The last example shows how NTLM breaks the rules of rfc2617 for the structure of the authentication header. This is the reason why the raw header field is used for ntlm. At present, the class chooses schemes in following order : 1. Negotiate (if supported) 2. Kerberos (if supported) 3. Digest 4. NTLM (if supported) 5. Basic This choice can be modified by setting a system property: -Dhttp.auth.preference="scheme" which in this case, specifies that "scheme" should be used as the auth scheme when offered disregarding the default prioritisation. If scheme is not offered, or explicitly disabled, by disabledSchemes, then the default priority is used. Attention: when http.auth.preference is set as SPNEGO or Kerberos, it's actually "Negotiate with SPNEGO" or "Negotiate with Kerberos", which means the user will prefer the Negotiate scheme with GSS/SPNEGO or GSS/Kerberos mechanism. This also means that the real "Kerberos" scheme can never be set as a preference.