adityamparikh opened a new pull request, #125: URL: https://github.com/apache/solr-mcp/pull/125
## Summary Flip the \`http.security.enabled\` default from \`false\` to \`true\` so anyone running the MCP server in HTTP mode without explicit configuration gets the OAuth2-protected filter chain. The [MCP Authorization specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) requires HTTP-based MCP servers to authenticate; defaulting to insecure was a footgun for any operator exposing the server beyond their laptop. Operators who explicitly want the unsecured filter chain (local development, integration tests) set \`HTTP_SECURITY_ENABLED=false\`. ## Operator impact | Scenario | Before | After | |---|---|---| | \`PROFILES=http ./gradlew bootRun\` (no env) | Anonymous on every endpoint | OAuth2 enforced, requires \`OAUTH2_ISSUER_URI\` | | \`HTTP_SECURITY_ENABLED=true PROFILES=http ./gradlew bootRun\` | OAuth2 enforced | OAuth2 enforced (no change) | | \`HTTP_SECURITY_ENABLED=false PROFILES=http ./gradlew bootRun\` | Unsecured | Unsecured (explicit opt-out) | | STDIO mode | No effect | No effect | \`DistributedTracingTest\` activates the \`http\` profile but does not exercise the OAuth2 filter chain, so it opts out via \`http.security.enabled=false\` on \`@SpringBootTest\` properties — otherwise the test context would try to fetch JWKS from the placeholder issuer URI at startup and fail. ## Recommended pre-merge order This PR is best landed **after** PRs that harden the secured filter chain itself: - #120 — \`@PreAuthorize\` on metadata tools (so all MCP tools are gated, not just the four already annotated) - #121 — CORS allowlist (so the secured server doesn't ship with wildcard origins) - #123 — JWT audience validation (so accepted tokens are actually for this server) - #124 — Actuator hardening (so the secured server doesn't expose loggers/sbom anonymously) Otherwise this PR exposes any pre-existing weaknesses to anyone who flips the toggle by accident. ## Test plan - [x] \`./gradlew spotlessApply\` clean - [x] \`./gradlew build\` passes (full test suite, 36s, including \`DistributedTracingTest\`) 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
