This is an automated email from the ASF dual-hosted git repository.
epugh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-mcp.git
The following commit(s) were added to refs/heads/main by this push:
new 015eedd fix(security): make HTTP mode secure by default (#125)
015eedd is described below
commit 015eedd7275d4f23d67ccab15e5867a2e6aac6cd
Author: Aditya Parikh <[email protected]>
AuthorDate: Fri May 8 16:51:18 2026 -0400
fix(security): make HTTP mode secure by default (#125)
Flip the http.security.enabled default from false to true so anyone
running the MCP server in HTTP mode without explicit configuration gets
the OAuth2-protected filter chain rather than the unsecured one. The
MCP Authorization specification requires HTTP-based MCP servers to
authenticate; defaulting to insecure was a footgun for any operator
exposing the server beyond their laptop.
Operators who explicitly want the unsecured filter chain (local
development, integration tests) set HTTP_SECURITY_ENABLED=false. The
inverted comment block makes the new posture clear.
DistributedTracingTest activates the http profile but does not exercise
the OAuth2 filter chain, so it opts out via http.security.enabled=false
on @SpringBootTest properties — otherwise the test context would try
to fetch JWKS from the placeholder issuer URI at startup and fail.
Refs:
- MCP Authorization specification:
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
Signed-off-by: adityamparikh <[email protected]>
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
src/main/resources/application-http.properties | 7 +++++--
.../solr/mcp/server/observability/DistributedTracingTest.java | 3 +++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/main/resources/application-http.properties
b/src/main/resources/application-http.properties
index 95daa2e..04504c0 100644
--- a/src/main/resources/application-http.properties
+++ b/src/main/resources/application-http.properties
@@ -11,8 +11,11 @@ spring.docker.compose.enabled=true
# For Keycloak: https://<keycloak-host>/realms/<realm-name>
# For Okta:
https://<your-okta-domain>/oauth2/default/.well-known/openid-configuration
spring.security.oauth2.resourceserver.jwt.issuer-uri=${OAUTH2_ISSUER_URI:https://your-auth0-domain.auth0.com/}
-# Security toggle - set to true to enable OAuth2 authentication, false to
bypass
-http.security.enabled=${HTTP_SECURITY_ENABLED:false}
+# Security toggle - HTTP mode is secured by default. Set
HTTP_SECURITY_ENABLED=false
+# to bypass OAuth2 authentication for local development only. Disabling
security
+# in any environment reachable from the network is unsafe; the MCP
Authorization
+# specification requires HTTP-based MCP servers to authenticate.
+http.security.enabled=${HTTP_SECURITY_ENABLED:true}
# observability
management.endpoints.web.exposure.include=health,sbom,metrics,info,loggers,prometheus
# Enable @Observed annotation support for custom spans
diff --git
a/src/test/java/org/apache/solr/mcp/server/observability/DistributedTracingTest.java
b/src/test/java/org/apache/solr/mcp/server/observability/DistributedTracingTest.java
index 4521b55..71d6e40 100644
---
a/src/test/java/org/apache/solr/mcp/server/observability/DistributedTracingTest.java
+++
b/src/test/java/org/apache/solr/mcp/server/observability/DistributedTracingTest.java
@@ -54,6 +54,9 @@ import org.testcontainers.junit.jupiter.Testcontainers;
@SpringBootTest(properties = {
// Enable HTTP mode for observability
"spring.profiles.active=http",
+ // Tracing test does not exercise the OAuth2 filter chain; opt
out of
+ // secure-by-default to avoid requiring a live JWKS endpoint at
startup.
+ "http.security.enabled=false",
// Disable OTLP export in tests - we're using SimpleTracer
instead
"management.otlp.tracing.endpoint=",
"management.opentelemetry.logging.export.otlp.enabled=false",
// Ensure 100% sampling for tests
