[fit] Add comprehensive HTTP client authentication support with @requestauth annotation (#330)

* fix: Resolve parameter-applier mismatch in HTTP client authentication

Fixes critical architecture issue where static auth appliers and parameter
appliers were mixed in the same list, causing NullPointerException and
parameter count mismatch errors.

**Root Cause Analysis:**
1. NullPointerException: args=null for no-parameter methods
2. Count mismatch: staticAppliers + paramAppliers != args.length
3. Architecture flaw: mixed responsibilities in single applier list

**Solution - Separated Applier Architecture:**
- HttpInfo: Added staticAppliers and paramAppliers fields
- HttpInvocationHandler: Separated execution (static first, then param)
- AnnotationParser: Separated applier construction logic
- Added null-safety for args parameter

**Test Results:**
✅ No-parameter methods: testBearerStatic() now works
✅ Parameter methods: testBearerDynamic(token) now works
✅ All auth types: Bearer, Basic, API Key all functional
✅ Backward compatibility: existing appliers field maintained

Closes #328

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* test: Add comprehensive unit tests for HttpInvocationHandler

Add comprehensive unit tests for HttpInvocationHandler to cover the core
issues discovered and fixed in the HTTP client authentication system:

- Test null args handling to prevent NullPointerException
- Test parameter count mismatch detection
- Test static and parameter applier separation logic
- Test HTTP info missing exception handling
- Test multi-parameter method invocation

Additionally improve code style consistency by:
- Add this. prefix to all member variable accesses
- Add proper resource management for MockitoAnnotations.openMocks()
- Add explanatory comments for uncommon Mockito patterns

These tests fill critical coverage gaps in the HttpInvocationHandler
which previously had no direct unit tests, ensuring the parameter
processing bugs discovered cannot reoccur.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: Remove redundant appliers field from HttpInfo

Clean up the temporary backward-compatibility code by removing the unused
appliers field, which was replaced by staticAppliers and paramAppliers.

**Changes:**
- HttpInfo: Remove appliers field and its getter/setter methods
- AnnotationParser.parseMethod(): Directly set paramAppliers without temp variable
- AnnotationParser.parseInterface(): Remove backward-compatibility merge logic
- HttpInvocationHandlerTest: Remove appliers initialization from test setup

**Benefits:**
- Clearer separation of concerns between static and parameter appliers
- Reduced code redundancy and maintenance burden
- Improved code readability with more explicit variable names

**Testing:**
✅ All 7 HttpInvocationHandler tests pass
✅ No functional changes, purely structural cleanup

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: Refactor @requestauth to reuse AuthorizationDestinationSetter mechanism

Unify the authentication architecture by making the @requestauth annotation
system reuse the existing AuthorizationDestinationSetter and Authorization
mechanisms, ensuring consistency with the FEL Tool system.

**Architecture Improvements:**
- Remove AuthDestinationSetter (duplicate implementation)
- Modify StaticAuthApplier to directly create Authorization objects
- Modify RequestAuthResolver to use AuthorizationDestinationSetter
- Both annotation-based and JSON-based systems now use the same mechanism

**Changes:**
- StaticAuthApplier: Create Authorization objects directly via factory methods
- RequestAuthResolver: Return AuthorizationDestinationSetter with appropriate keys
- Remove AuthDestinationSetter and its test file
- Update RequestAuthResolverTest to use AuthorizationDestinationSetter

**Benefits:**
- Eliminates code duplication in authentication logic
- Ensures architectural consistency across different configuration methods
- Simplifies maintenance with a single source of truth
- Better follows the DestinationSetter design pattern

**Testing:**
✅ All 225 tests pass
✅ RequestAuthResolverTest: 3/3 tests pass
✅ HttpInvocationHandlerTest: 7/7 tests pass
✅ No functional changes, purely architectural refactoring

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: Add AuthProvider support to StaticAuthApplier

Fix runtime error when using @requestauth with AuthProvider in class/method level
static authentication scenarios.

**Problem:**
- StaticAuthApplier threw UnsupportedOperationException when encountering AuthProvider
- Example 07 failed to start with "AuthProvider is not supported" error
- Provider-based auth (DynamicTokenProvider, CustomSignatureProvider, ApiKeyProvider)
  was not working in static contexts

**Solution:**
- Add lazy initialization support to StaticAuthApplier
- Add setBeanContainer() method to inject BeanContainer at runtime
- Modify HttpInvocationHandler to call setBeanContainer() before applying static auth
- Cache Authorization object after creation for performance

**Implementation:**
- StaticAuthApplier: Store RequestAuth annotation and delay Authorization creation
- If no Provider: Create Authorization immediately in constructor
- If Provider used: Create Authorization when setBeanContainer() is called
- HttpInvocationHandler: Inject BeanContainer before calling staticApplier.apply()

**Testing:**
✅ All 225 tests pass
✅ HttpInvocationHandlerTest: 7/7 tests pass
✅ No breaking changes to existing functionality

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: Fix authorization field mapping bug and improve code clarity

Fix a bug in parameter-level authentication where API_KEY incorrectly mapped to
annotation.name() instead of the "value" field of ApiKeyAuthorization.

**Problem Analysis:**
1. Bug: RequestAuthResolver.getAuthorizationKey() for API_KEY returned annotation.name()
   (e.g., "X-API-Key"), but should return "value" to update ApiKeyAuthorization.value field
2. Root cause: Confusion between HTTP key name and Authorization object field name
3. Why tests didn't catch it: Tests only verified Setter type, not the internal field name

**Solution: Introduce AuthFieldMapper (Approach 5)**
- Create dedicated AuthFieldMapper class for centralized field mapping logic
- Clear documentation explaining the mapping rationale
- Maintains consistency with FEL Tool system's AuthorizationDestinationSetter mechanism

**Changes:**
1. New file: AuthFieldMapper.java
   - Maps AuthType to Authorization object field names
   - Comprehensive Javadoc with table showing all mappings
   - BEARER → "token", BASIC → "username", API_KEY → "value"

2. Modified: RequestAuthResolver.java
   - Remove complex getAuthorizationKey() method
   - Use AuthFieldMapper.getParameterAuthField() for clear intent
   - Updated documentation

3. New tests: AuthFieldMapperTest.java (5 tests)
   - Verify correct field mappings for all auth types
   - Specifically test API_KEY returns "value" not "key"
   - Validate compatibility with Authorization implementations

4. Enhanced: RequestAuthResolverTest.java
   - Add comments explaining the bug that was found
   - Tests now serve as regression prevention

**Key Insights:**
- API Key has two concepts:
  * "key" field: HTTP Header/Query name (e.g., "X-API-Key")
  * "value" field: Actual API key value (parameter-level updates this)
- AuthFieldMapper makes this distinction explicit and well-documented

**Testing:**
✅ All 230 tests pass (5 new tests added)
✅ AuthFieldMapperTest: 5/5 tests pass
✅ RequestAuthResolverTest: 3/3 tests pass
✅ Maintains 100% consistency with FEL Tool system

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: Fix Javadoc errors in AuthFieldMapper and RequestAuthResolver

Fix Javadoc compilation errors caused by HTML5 incompatible tags and attributes.

**Issues Fixed:**
1. Replace <h3> headings with <p><b> for consistency (H3 requires H2, H1 hierarchy)
2. Remove 'summary' attribute from table (not supported in HTML5)
3. Keep 'caption' element for table description

**Changes:**
- AuthFieldMapper.java: Replace h3 tags with p+b tags, remove summary attribute
- RequestAuthResolver.java: Replace h3 tags with p+b tags

**Verification:**
✅ mvn javadoc:javadoc compiles successfully
✅ All documentation formatting preserved
✅ HTML5 compliant

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: Support BASIC auth field selection via name attribute for parameter-level authentication

Enable parameter-level BASIC authentication to specify which field to update (username or
password) using the name attribute, allowing dual-parameter authentication scenarios.

**Core Changes:**

1. **AuthFieldMapper.java**
   - Modified getParameterAuthField() to accept nameAttribute parameter
   - BASIC auth: name="username" or name="password" selects field to update
   - Default behavior: returns "username" when name is not specified (backward compatible)
   - API_KEY: name specifies HTTP Header/Query name (different semantic)
   - BEARER: name attribute is ignored
   - Use StringUtils.isNotBlank() and StringUtils.equals() for string operations
   - Fixed Javadoc line lengths to comply with 120-character limit

2. **RequestAuthResolver.java**
   - Pass annotation.name() to AuthFieldMapper.getParameterAuthField()
   - Enables BASIC auth field selection based on name attribute

3. **RequestAuth annotation**
   - Enhanced Javadoc to document name attribute semantics for different auth types
   - Added table showing name attribute meaning per auth type
   - Clarified BASIC auth usage: name selects target field (username/password)

**Testing:**

4. **AuthFieldMapperTest.java** (added 3 new tests, total 8 tests)
   - testBasicAuthFieldDefault(): Verify default returns "username"
   - testBasicAuthFieldExplicitUsername(): Test name="username"
   - testBasicAuthFieldPassword(): Test name="password"
   - testBasicAuthFieldInvalidName(): Verify invalid name throws exception
   - Updated existing tests to use new method signature

5. **Example 07 Enhancements**
   - TestAuthInterface: Added testBasicDynamicUsername() and testBasicDynamicBoth()
   - TestAuthClient: Implemented both methods with proper annotations
   - TestAuthServerController: Added corresponding endpoints
   - TestClientController: Added method invocation support
   - run_tests.sh: Added two new BASIC auth test cases

**Usage Examples:**

```java
// Method-level: Complete BASIC auth, parameter overrides username
@requestauth(type = BASIC, username = "static-user", password = "static-password")
String test(@requestauth(type = BASIC) String username);

// Parameter-level: Separately override username and password
@requestauth(type = BASIC, username = "base-user", password = "base-password")
String test(
    @requestauth(type = BASIC, name = "username") String user,
    @requestauth(type = BASIC, name = "password") String pwd
);
```

**Key Design:**
- name attribute has semantic overloading across auth types
- BASIC: Specifies Authorization object field name
- API_KEY: Specifies HTTP Header/Query name
- Method-level BASIC auth must provide complete username+password
- Parameter-level updates specific fields via authorizationInfo()

**Validation:**
✅ All 233 tests pass
✅ Javadoc compiles without errors/warnings
✅ Code formatting complies with CodeFormatterFromIdea.xml
✅ Example 07 compiles and runs successfully

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: Simplify StaticAuthApplier by using constructor injection for BeanContainer

Remove the setBeanContainer() method and lazy initialization pattern in StaticAuthApplier,
replacing it with direct constructor injection using the BeanContainer already available
in AnnotationParser.

**Problem:**
- StaticAuthApplier used lazy initialization with setBeanContainer() called from HttpInvocationHandler
- This created unnecessary complexity and runtime dependency injection
- AnnotationParser already had BeanContainer available but wasn't using it
- The setBeanContainer() approach required runtime checks and state management

**Solution:**
- Modified StaticAuthApplier constructor to accept BeanContainer parameter
- AnnotationParser now passes its BeanContainer when creating StaticAuthApplier instances
- Removed setBeanContainer() method entirely
- Removed lazy initialization logic and state management
- Simplified HttpInvocationHandler by removing BeanContainer injection code

**Changes:**

1. **StaticAuthApplier.java**
   - Changed constructor: `StaticAuthApplier(RequestAuth, BeanContainer)`
   - Removed `cachedAuthorization` field, replaced with final `authorization` field
   - Authorization created immediately in constructor
   - Removed `setBeanContainer()` method
   - Simplified `apply()` method - no more null checks
   - Reduced from 118 lines to 95 lines

2. **AnnotationParser.java**
   - `getClassLevelAuthAppliers()`: Pass `this.beanContainer` to StaticAuthApplier
   - `getMethodLevelAuthAppliers()`: Pass `this.beanContainer` to StaticAuthApplier

3. **HttpInvocationHandler.java**
   - Removed instanceof check and setBeanContainer() call
   - Simplified staticApplier loop back to basic iteration

**Benefits:**
- ✅ Simpler design: Constructor injection instead of setter injection
- ✅ Earlier error detection: Failures happen at construction time, not runtime
- ✅ Immutability: Authorization is now final, thread-safe
- ✅ Less code: Removed 31 lines of complexity
- ✅ Clear dependencies: BeanContainer dependency explicit in constructor
- ✅ Better performance: No runtime type checks or conditional initialization

**Testing:**
✅ All 233 tests pass
✅ Example 07 compiles and runs successfully
✅ No behavioral changes, purely refactoring

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: Add fail-fast validation for BeanContainer in StaticAuthApplier

Add notNull validation at constructor entry point and simplify createAuthorizationFromAnnotation
by removing redundant null check, following the fail-fast principle.

**Changes:**
- Add `notNull(beanContainer, "The bean container cannot be null.")` in constructor
- Remove redundant null check in createAuthorizationFromAnnotation method
- BeanContainer is guaranteed non-null by AnnotationParser, validate early at entry point

**Benefits:**
- ✅ Fail-fast: Errors detected immediately at construction time
- ✅ Clearer contract: BeanContainer is required, not optional
- ✅ Simplified logic: No need for null check in private method
- ✅ Consistent validation: Follows same pattern as AnnotationParser

**Testing:**
✅ AuthFieldMapperTest: 8/8 tests pass
✅ No behavioral changes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: Add comprehensive documentation for HTTP client authentication

Add detailed usage manual and principles guide for @requestauth annotation system,
covering all authentication types, usage scenarios, design principles, and internals.

**Documentation Structure:**

1. **HTTP_CLIENT_AUTH_USAGE.md** - User-facing usage manual
   - Quick start guide
   - Authentication types (Bearer, Basic, API Key, Custom Provider)
   - Usage scenarios (interface/method/parameter levels)
   - Best practices (security, configuration, Provider patterns)
   - Common Q&A
   - Complete examples with HTTP request formats

2. **HTTP_CLIENT_AUTH_PRINCIPLES.md** - Internal principles guide
   - Architecture overview with component diagrams
   - Core components (AnnotationParser, StaticAuthApplier, AuthFieldMapper, etc.)
   - Detailed workflow with execution traces
   - Key design decisions (constructor injection, name attribute overloading)
   - Consistency with FEL Tool system
   - Extension guide for custom authentication types

**Content Highlights:**

- 📖 80+ code examples covering all scenarios
- 🎯 5 detailed execution flow diagrams
- 📊 Component responsibility matrix
- 🔧 Extension patterns for custom authentication
- ⚖️ Design decision rationales
- ✅ Best practices and anti-patterns

**Coverage:**

- All 4 authentication types: Bearer, Basic, API Key, Custom
- 3-level configuration: Interface, Method, Parameter
- Static vs dynamic (Provider) authentication
- Field update mechanism for parameter-level auth
- BASIC auth dual-parameter support with name attribute
- Integration with BeanContainer and FEL Tool system

**Target Audience:**

- Usage Manual: Developers using HTTP client authentication
- Principles Guide: Framework developers and contributors

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: CodeCasterX

examples/fit-example/07-http-client-proxy/plugin-http-client/src/main/java/modelengine/fit/example/client/TestAuthClient.java

@@ -27,86 +27,105 @@
 @HttpProxy
 @RequestAddress(protocol = "http", host = "localhost", port = "8080")
 @RequestMapping(path = "/http-server/auth")
-/**
- * 接口级别的默认鉴权：API Key
- */
 @RequestAuth(type = AuthType.API_KEY, name = "X-Service-Key", value = "service-default-key")
 public interface TestAuthClient extends TestAuthInterface {
-    @Override
-    @GetMapping(path = "/bearer-static")
     /**
      * 方法级别覆盖：使用 Bearer Token
      */
+    @Override
+    @GetMapping(path = "/bearer-static")
     @RequestAuth(type = AuthType.BEARER, value = "static-bearer-token-12345")
     String testBearerStatic();
 
-    @Override
-    @GetMapping(path = "/bearer-dynamic")
     /**
      * 方法级别覆盖：使用参数驱动的 Bearer Token
      */
+    @Override
+    @GetMapping(path = "/bearer-dynamic")
     String testBearerDynamic(@RequestAuth(type = AuthType.BEARER) String token);
 
-    @Override
-    @GetMapping(path = "/basic-static")
     /**
      * 方法级别覆盖：使用 Basic Auth
      */
+    @Override
+    @GetMapping(path = "/basic-static")
     @RequestAuth(type = AuthType.BASIC, username = "admin", password = "secret123")
     String testBasicStatic();
 
-    @Override
-    @GetMapping(path = "/apikey-header-static")
     /**
      * 方法级别覆盖：API Key 在 Header 中
      */
+    @Override
+    @GetMapping(path = "/apikey-header-static")
     @RequestAuth(type = AuthType.API_KEY, name = "X-API-Key", value = "static-api-key-67890")
     String testApiKeyHeaderStatic();
 
-    @Override
-    @GetMapping(path = "/apikey-query-static")
     /**
      * 方法级别覆盖：API Key 在 Query 参数中
      */
+
+    @Override
+    @GetMapping(path = "/apikey-query-static")
     @RequestAuth(type = AuthType.API_KEY, name = "api_key", value = "query-api-key-111", location = Source.QUERY)
     String testApiKeyQueryStatic();
 
-    @Override
-    @GetMapping(path = "/apikey-dynamic")
     /**
      * 参数驱动的 API Key
      */
+    @Override
+    @GetMapping(path = "/apikey-dynamic")
     String testApiKeyDynamic(@RequestAuth(type = AuthType.API_KEY, name = "X-Dynamic-Key") String apiKey);
 
-    @Override
-    @GetMapping(path = "/dynamic-provider")
     /**
      * 方法级别覆盖：使用动态 Token Provider
      */
+    @Override
+    @GetMapping(path = "/dynamic-provider")
     @RequestAuth(type = AuthType.BEARER, provider = DynamicTokenProvider.class)
     String testDynamicProvider();
 
-    @Override
-    @GetMapping(path = "/custom-provider")
     /**
      * 方法级别覆盖：使用自定义签名 Provider
      */
+    @Override
+    @GetMapping(path = "/custom-provider")
     @RequestAuth(type = AuthType.CUSTOM, provider = CustomSignatureProvider.class)
     String testCustomProvider();
 
-    @Override
-    @GetMapping(path = "/method-override")
     /**
      * 方法级别覆盖：使用 API Key Provider
      */
+    @Override
+    @GetMapping(path = "/method-override")
     @RequestAuth(type = AuthType.API_KEY, provider = ApiKeyProvider.class)
     String testMethodOverride();
 
-    @Override
-    @GetMapping(path = "/combined-auth")
     /**
      * 组合鉴权：服务级 API Key + 用户 Token
      */
+    @Override
+    @GetMapping(path = "/combined-auth")
     @RequestAuth(type = AuthType.BEARER, provider = DynamicTokenProvider.class)
     String testCombinedAuth(@RequestAuth(type = AuthType.API_KEY, name = "X-User-Context") String userToken);
+
+    /**
+     * 参数级别的 Basic Auth - 使用参数覆盖静态配置的 username
+     * <p>演示：方法级别提供完整的 BASIC 认证（username + password），
+     * 参数级别动态覆盖 username 字段（不指定 name 时默认更新 username）</p>
+     */
+    @Override
+    @GetMapping(path = "/basic-dynamic-username")
+    @RequestAuth(type = AuthType.BASIC, username = "static-user", password = "static-password")
+    String testBasicDynamicUsername(@RequestAuth(type = AuthType.BASIC) String username);
+
+    /**
+     * 参数级别的 Basic Auth - 使用参数分别覆盖 username 和 password
+     * <p>演示：方法级别提供完整的 BASIC 认证作为基础，
+     * 参数级别使用 name 属性明确指定要覆盖的字段（username 或 password）</p>
+     */
+    @Override
+    @GetMapping(path = "/basic-dynamic-both")
+    @RequestAuth(type = AuthType.BASIC, username = "base-user", password = "base-password")
+    String testBasicDynamicBoth(@RequestAuth(type = AuthType.BASIC, name = "username") String username,
+            @RequestAuth(type = AuthType.BASIC, name = "password") String password);
 }

examples/fit-example/07-http-client-proxy/plugin-http-client/src/main/java/modelengine/fit/example/client/TestAuthInterface.java

@@ -86,4 +86,21 @@ public interface TestAuthInterface {
      * @return 鉴权测试结果
      */
     String testCombinedAuth(String userToken);
+
+    /**
+     * 测试参数级别的 Basic Auth - 单参数更新 username（向后兼容）。
+     *
+     * @param username 用户名
+     * @return 鉴权测试结果
+     */
+    String testBasicDynamicUsername(String username);
+
+    /**
+     * 测试参数级别的 Basic Auth - 双参数分别更新 username 和 password。
+     *
+     * @param username 用户名
+     * @param password 密码
+     * @return 鉴权测试结果
+     */
+    String testBasicDynamicBoth(String username, String password);
 }

examples/fit-example/07-http-client-proxy/plugin-http-client/src/main/java/modelengine/fit/example/controller/TestClientController.java

@@ -104,14 +104,21 @@ public Object test(@RequestQuery("type") String type, @RequestQuery("method") St
      */
     @GetMapping(path = "/auth-test")
     public Object authTest(@RequestQuery("method") String method,
-                          @RequestQuery(value = "token", required = false) String token) {
+            @RequestQuery(value = "token", required = false) String token,
+            @RequestQuery(value = "username", required = false) String username,
+            @RequestQuery(value = "password", required = false) String password) {
         switch (method) {
             case "bearerStatic":
                 return authClient.testBearerStatic();
             case "bearerDynamic":
                 return authClient.testBearerDynamic(token != null ? token : "dynamic-test-token");
             case "basicStatic":
                 return authClient.testBasicStatic();
+            case "basicDynamicUsername":
+                return authClient.testBasicDynamicUsername(username != null ? username : "testuser");
+            case "basicDynamicBoth":
+                return authClient.testBasicDynamicBoth(username != null ? username : "testuser",
+                        password != null ? password : "testpass");
             case "apiKeyHeaderStatic":
                 return authClient.testApiKeyHeaderStatic();
             case "apiKeyQueryStatic":

examples/fit-example/07-http-client-proxy/plugin-http-server/src/main/java/modelengine/fit/example/controller/TestAuthServerController.java

@@ -106,4 +106,14 @@ public String testCombinedAuth(@RequestHeader(name = "Authorization") String aut
         }
         return result;
     }
+
+    @GetMapping(path = "/basic-dynamic-username")
+    public String testBasicDynamicUsername(@RequestHeader(name = "Authorization") String authorization) {
+        return "Basic Dynamic Username: " + authorization;
+    }
+
+    @GetMapping(path = "/basic-dynamic-both")
+    public String testBasicDynamicBoth(@RequestHeader(name = "Authorization") String authorization) {
+        return "Basic Dynamic Both: " + authorization;
+    }
 }

examples/fit-example/07-http-client-proxy/run_tests.sh

@@ -174,6 +174,18 @@ run_basic_tests() {
     run_test "Basic Static Auth" \
         "curl -s --max-time $TIMEOUT -X GET \"$BASE_URL/basic-static\" -H \"Authorization: Basic YWRtaW46c2VjcmV0MTIz\" -H \"X-Service-Key: service-default-key\"" \
         "Basic Static Auth: Basic YWRtaW46c2VjcmV0MTIz"
+
+    # testuser:static-password 的 base64 编码 (dGVzdHVzZXI6c3RhdGljLXBhc3N3b3Jk)
+    # 参数覆盖 username: testuser，保留方法级别的 password: static-password
+    run_test "Basic Dynamic Username" \
+        "curl -s --max-time $TIMEOUT -X GET \"$BASE_URL/basic-dynamic-username\" -H \"Authorization: Basic dGVzdHVzZXI6c3RhdGljLXBhc3N3b3Jk\"" \
+        "Basic Dynamic Username: Basic dGVzdHVzZXI6c3RhdGljLXBhc3N3b3Jk"
+
+    # testuser:testpass 的 base64 编码 (dGVzdHVzZXI6dGVzdHBhc3M=)
+    # 参数分别覆盖 username 和 password
+    run_test "Basic Dynamic Both" \
+        "curl -s --max-time $TIMEOUT -X GET \"$BASE_URL/basic-dynamic-both\" -H \"Authorization: Basic dGVzdHVzZXI6dGVzdHBhc3M=\"" \
+        "Basic Dynamic Both: Basic dGVzdHVzZXI6dGVzdHBhc3M="
 }
 
 # API Key 测试

framework/fit/java/fit-builtin/plugins/fit-client-http/src/main/java/modelengine/fit/client/http/support/HttpProxyCreator.java

@@ -67,7 +67,7 @@ public void onBeanContainerInitialized(BeanContainer container) {
         }
         List<Class<?>> classes = this.scan(container, packages);
         for (Class<?> clazz : classes) {
-            AnnotationParser annotationParser = new AnnotationParser(this.valueFetcher);
+            AnnotationParser annotationParser = new AnnotationParser(this.valueFetcher, container);
             Map<Method, HttpInfo> httpInfoMap = annotationParser.parseInterface(clazz);
             // Scan all interfaces, create proxy objects for each, and register them in the container.
             container.registry()