This is an automated email from the ASF dual-hosted git repository.
epugh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-mcp.git
The following commit(s) were added to refs/heads/main by this push:
new 705bc5f feat(security): add configurable security bypass for HTTP
mode (#40)
705bc5f is described below
commit 705bc5f74ca73f1592a19062fb310e81d6942601
Author: Aditya Parikh <[email protected]>
AuthorDate: Tue Feb 3 17:03:03 2026 -0500
feat(security): add configurable security bypass for HTTP mode (#40)
Add ability to disable OAuth2 security in HTTP mode for local development
and testing scenarios. Security can be toggled via spring.security.enabled
property:
- spring.security.enabled=true (default): Full OAuth2 authentication
- spring.security.enabled=false: All requests permitted, @PreAuthorize
bypassed
Changes:
- Add @ConditionalOnProperty to SecurityFilterChain beans
- Extract @EnableMethodSecurity to separate MethodSecurityConfiguration
- Add unsecured() filter chain for when security is disabled
- Default to security disabled in application-http.properties
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.5 <[email protected]>
---
.../mcp/server/config/McpServerConfiguration.java | 15 +++++++--
.../server/config/MethodSecurityConfiguration.java | 37 ++++++++++++++++++++++
.../mcp/server/metadata/CollectionService.java | 19 ++++++-----
.../solr/mcp/server/metadata/SchemaService.java | 4 +--
src/main/resources/application-http.properties | 4 ++-
5 files changed, 63 insertions(+), 16 deletions(-)
diff --git
a/src/main/java/org/apache/solr/mcp/server/config/McpServerConfiguration.java
b/src/main/java/org/apache/solr/mcp/server/config/McpServerConfiguration.java
index 5a4b0ab..17b4070 100644
---
a/src/main/java/org/apache/solr/mcp/server/config/McpServerConfiguration.java
+++
b/src/main/java/org/apache/solr/mcp/server/config/McpServerConfiguration.java
@@ -19,10 +19,10 @@ package org.apache.solr.mcp.server.config;
import java.util.List;
import
org.springaicommunity.mcp.security.server.config.McpServerOAuth2Configurer;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
-import
org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
@@ -34,13 +34,13 @@ import
org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@Profile("http")
@Configuration
@EnableWebSecurity
-@EnableMethodSecurity // ⬅️ enable annotation-driven security
class McpServerConfiguration {
- @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
+ @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri:}")
private String issuerUrl;
@Bean
+ @ConditionalOnProperty(name = "spring.security.enabled", havingValue =
"true", matchIfMissing = true)
SecurityFilterChain securityFilterChain(HttpSecurity http) throws
Exception {
return http
// ⬇️ Open every request on the server
@@ -60,6 +60,15 @@ class McpServerConfiguration {
.build();
}
+ @Bean
+ @ConditionalOnProperty(name = "spring.security.enabled", havingValue =
"false")
+ SecurityFilterChain unsecured(HttpSecurity http) throws Exception {
+ return http.authorizeHttpRequests(auth ->
auth.anyRequest().permitAll())
+ // MCP inspector
+ .cors(cors ->
cors.configurationSource(corsConfigurationSource())).csrf(CsrfConfigurer::disable)
+ .build();
+ }
+
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(List.of("*"));
diff --git
a/src/main/java/org/apache/solr/mcp/server/config/MethodSecurityConfiguration.java
b/src/main/java/org/apache/solr/mcp/server/config/MethodSecurityConfiguration.java
new file mode 100644
index 0000000..7345a57
--- /dev/null
+++
b/src/main/java/org/apache/solr/mcp/server/config/MethodSecurityConfiguration.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.mcp.server.config;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import
org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+
+/**
+ * Configuration class that enables method-level security only when
+ * spring.security.enabled=true (or not set).
+ *
+ * <p>
+ * This allows the application to run without authentication when
+ * spring.security.enabled=false, bypassing @PreAuthorize annotations.
+ */
+@Profile("http")
+@Configuration
+@ConditionalOnProperty(name = "spring.security.enabled", havingValue = "true",
matchIfMissing = true)
+@EnableMethodSecurity
+class MethodSecurityConfiguration {
+}
diff --git
a/src/main/java/org/apache/solr/mcp/server/metadata/CollectionService.java
b/src/main/java/org/apache/solr/mcp/server/metadata/CollectionService.java
index 28370cf..eb2c606 100644
--- a/src/main/java/org/apache/solr/mcp/server/metadata/CollectionService.java
+++ b/src/main/java/org/apache/solr/mcp/server/metadata/CollectionService.java
@@ -16,7 +16,16 @@
*/
package org.apache.solr.mcp.server.metadata;
+import static org.apache.solr.mcp.server.metadata.CollectionUtils.getFloat;
+import static org.apache.solr.mcp.server.metadata.CollectionUtils.getInteger;
+import static org.apache.solr.mcp.server.metadata.CollectionUtils.getLong;
+import static org.apache.solr.mcp.server.util.JsonUtils.toJson;
+
import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
import org.apache.solr.client.solrj.SolrClient;
import org.apache.solr.client.solrj.SolrQuery;
import org.apache.solr.client.solrj.SolrRequest;
@@ -41,16 +50,6 @@ import org.springaicommunity.mcp.annotation.McpTool;
import org.springaicommunity.mcp.annotation.McpToolParam;
import org.springframework.stereotype.Service;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-
-import static org.apache.solr.mcp.server.metadata.CollectionUtils.getFloat;
-import static org.apache.solr.mcp.server.metadata.CollectionUtils.getInteger;
-import static org.apache.solr.mcp.server.metadata.CollectionUtils.getLong;
-import static org.apache.solr.mcp.server.util.JsonUtils.toJson;
-
/**
* Spring Service providing comprehensive Solr collection management and
* monitoring capabilities for Model Context Protocol (MCP) clients.
diff --git
a/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java
b/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java
index a3b8f05..31f62f1 100644
--- a/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java
+++ b/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java
@@ -16,6 +16,8 @@
*/
package org.apache.solr.mcp.server.metadata;
+import static org.apache.solr.mcp.server.util.JsonUtils.toJson;
+
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.solr.client.solrj.SolrClient;
import org.apache.solr.client.solrj.request.schema.SchemaRequest;
@@ -24,8 +26,6 @@ import org.springaicommunity.mcp.annotation.McpResource;
import org.springaicommunity.mcp.annotation.McpTool;
import org.springframework.stereotype.Service;
-import static org.apache.solr.mcp.server.util.JsonUtils.toJson;
-
/**
* Spring Service providing schema introspection and management capabilities
for
* Apache Solr collections.
diff --git a/src/main/resources/application-http.properties
b/src/main/resources/application-http.properties
index 60c5daa..1f96a7b 100644
--- a/src/main/resources/application-http.properties
+++ b/src/main/resources/application-http.properties
@@ -7,4 +7,6 @@ spring.ai.mcp.server.stdio=false
# For Auth0: https://<your-auth0-domain>/.well-known/openid-configuration
# For Keycloak: https://<keycloak-host>/realms/<realm-name>
# For Okta:
https://<your-okta-domain>/oauth2/default/.well-known/openid-configuration
-spring.security.oauth2.resourceserver.jwt.issuer-uri=${OAUTH2_ISSUER_URI:https://your-auth0-domain.auth0.com/}
\ No newline at end of file
+spring.security.oauth2.resourceserver.jwt.issuer-uri=${OAUTH2_ISSUER_URI:https://your-auth0-domain.auth0.com/}
+# Security toggle - set to true to enable OAuth2 authentication, false to
bypass
+spring.security.enabled=${SECURITY_ENABLED:false}
\ No newline at end of file
