fix(security): require authentication for metadata MCP tools#120
Merged
epugh merged 1 commit intoMay 8, 2026
Merged
Conversation
Adds @PreAuthorize("isAuthenticated()") to the four MCP tools that previously allowed anonymous access in HTTP mode with security enabled: - CollectionService.listCollections - CollectionService.getCollectionStats - CollectionService.checkHealth - SchemaService.getSchema These tools expose collection inventory, document counts, cache/handler statistics, health, and schema fields — useful reconnaissance for an attacker probing the underlying Solr cluster. Without method-level security they were reachable anonymously because the SecurityFilterChain permits the /mcp endpoint at the HTTP layer (matching the upstream spring-ai-community/mcp-security "secured tools" sample, which relies entirely on @PreAuthorize for tool gating). The annotation is inert in STDIO mode (MethodSecurityConfiguration is @Profile("http")) and inert in HTTP mode when http.security.enabled is false, so this is non-breaking for existing users. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: adityamparikh <aditya.m.parikh@gmail.com>
This was referenced May 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
@PreAuthorize(\"isAuthenticated()\")to four MCP tools that previously allowed anonymous access in HTTP mode (when security is enabled):CollectionService.listCollectionsCollectionService.getCollectionStatsCollectionService.checkHealthSchemaService.getSchemaThese expose collection inventory, document counts, cache/handler stats, health, and schema fields — useful reconnaissance for an attacker probing the underlying Solr cluster. They were reachable anonymously because the
SecurityFilterChainpermits/mcpat the HTTP layer (matching the upstreamspring-ai-community/mcp-security"secured tools" sample, which relies entirely on@PreAuthorizefor per-tool gating). The other tool methods (search,index-*,create-collection) already had this annotation.This is the canonical pattern from the upstream sample — the filter chain stays
permitAllon/mcp, and method-level security gates each tool individually.Behavior
MethodSecurityConfigurationis@Profile(\"http\"), so the annotation is inert.http.security.enabled=false: no change. Method security bean isn't loaded.http.security.enabled=true: previously-anonymous tools now require a valid OAuth2 bearer token. This is the intended security model.Test plan
./gradlew spotlessApplyclean./gradlew buildpasses (unit + integration tests)🤖 Generated with Claude Code