adityamparikh opened a new pull request, #124:
URL: https://github.com/apache/solr-mcp/pull/124
## Summary
The secured filter chain matched \`/actuator\` and \`/actuator/*\` with
\`permitAll\`, which exposed the entire actuator surface anonymously even when
\`http.security.enabled=true\`:
- \`/actuator/sbom\` — full dependency tree (recon for known CVEs)
- \`/actuator/loggers\` — logger-name list (effectively a package-tree map
of the codebase). The write endpoint at \`/actuator/loggers/{name}\` is
currently shielded by Spring's path-matcher (the \`*\` wildcard doesn't span
segments), but relying on that for security is brittle.
- \`/actuator/prometheus\` and \`/actuator/metrics\` — every \`@McpTool\`
URI shows up as a metric label, plus JVM/Solr internals
- \`/actuator/info\` — build/git info
Tighten the matchers:
- \`/actuator/health\` stays anonymously reachable (load balancers and
orchestrators need it)
- Everything else under \`/actuator\` requires an authenticated principal
Operators who need a metrics scraper without tokens can configure scraper
auth or move actuator to a separate management port (\`management.server.port\`
+ \`management.server.address=127.0.0.1\`) — neither is changed here.
## Operator impact
| Endpoint | Before | After |
|---|---|---|
| \`/actuator/health\` | Anonymous ✓ | Anonymous ✓ |
| \`/actuator/sbom\` | Anonymous | Auth required |
| \`/actuator/loggers\` | Anonymous | Auth required |
| \`/actuator/prometheus\` | Anonymous | Auth required |
| \`/actuator/metrics\` | Anonymous | Auth required |
| \`/actuator/info\` | Anonymous | Auth required |
Only relevant when \`http.security.enabled=true\` (currently opt-in,
defaults to false). The \`unsecured\` filter chain is unchanged.
## Test plan
- [x] \`./gradlew spotlessApply\` clean
- [x] \`./gradlew build\` passes (full test suite, 37s)
## Note on PR ordering
Touches \`HttpSecurityConfiguration.java\`. Overlaps with #121 (CORS
allowlist) and #123 (audience validation). Whichever lands later will need a
small rebase.
## References
- [CWE-732: Incorrect Permission Assignment for Critical
Resource](https://cwe.mitre.org/data/definitions/732.html)
- [Spring Boot Actuator —
Endpoints](https://docs.spring.io/spring-boot/reference/actuator/endpoints.html)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
