(solr-mcp) branch main updated: fix(security): require authentication for metadata MCP tools (#120)

Fri, 08 May 2026 13:53:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

epugh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-mcp.git


The following commit(s) were added to refs/heads/main by this push:
     new 8b473f6  fix(security): require authentication for metadata MCP tools 
(#120)
8b473f6 is described below

commit 8b473f6599837e0046ccc940c0b0eda1c76a49a0
Author: Aditya Parikh <[email protected]>
AuthorDate: Fri May 8 16:52:02 2026 -0400

    fix(security): require authentication for metadata MCP tools (#120)
    
    Adds @PreAuthorize("isAuthenticated()") to the four MCP tools that
    previously allowed anonymous access in HTTP mode with security enabled:
    
    - CollectionService.listCollections
    - CollectionService.getCollectionStats
    - CollectionService.checkHealth
    - SchemaService.getSchema
    
    These tools expose collection inventory, document counts, cache/handler
    statistics, health, and schema fields — useful reconnaissance for an
    attacker probing the underlying Solr cluster. Without method-level
    security they were reachable anonymously because the SecurityFilterChain
    permits the /mcp endpoint at the HTTP layer (matching the upstream
    spring-ai-community/mcp-security "secured tools" sample, which relies
    entirely on @PreAuthorize for tool gating).
    
    The annotation is inert in STDIO mode (MethodSecurityConfiguration is
    @Profile("http")) and inert in HTTP mode when http.security.enabled is
    false, so this is non-breaking for existing users.
    
    Signed-off-by: adityamparikh <[email protected]>
    Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
 .../java/org/apache/solr/mcp/server/collection/CollectionService.java  | 3 +++
 src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java   | 2 ++
 2 files changed, 5 insertions(+)

diff --git 
a/src/main/java/org/apache/solr/mcp/server/collection/CollectionService.java 
b/src/main/java/org/apache/solr/mcp/server/collection/CollectionService.java
index 48ec56d..f20ed2b 100644
--- a/src/main/java/org/apache/solr/mcp/server/collection/CollectionService.java
+++ b/src/main/java/org/apache/solr/mcp/server/collection/CollectionService.java
@@ -333,6 +333,7 @@ public class CollectionService {
         *         them
         * @see CollectionAdminRequest.List
         */
+       @PreAuthorize("isAuthenticated()")
        @McpTool(name = "list-collections", description = "List solr 
collections")
        public List<String> listCollections() {
                try {
@@ -407,6 +408,7 @@ public class CollectionService {
         * @see LukeRequest
         * @see #extractCollectionName(String)
         */
+       @PreAuthorize("isAuthenticated()")
        @McpTool(name = "get-collection-stats", description = "Get 
stats/metrics on a Solr collection")
        public SolrMetrics getCollectionStats(
                        @McpToolParam(description = "Solr collection to get 
stats/metrics for") String collection)
@@ -955,6 +957,7 @@ public class CollectionService {
         * @see SolrHealthStatus
         * @see SolrPingResponse
         */
+       @PreAuthorize("isAuthenticated()")
        @McpTool(name = "check-health", description = "Check health of a Solr 
collection")
        public SolrHealthStatus checkHealth(@McpToolParam(description = "Solr 
collection") String collection) {
                String actualCollection = extractCollectionName(collection);
diff --git 
a/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java 
b/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java
index f795587..19c5577 100644
--- a/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java
+++ b/src/main/java/org/apache/solr/mcp/server/metadata/SchemaService.java
@@ -25,6 +25,7 @@ import 
org.apache.solr.client.solrj.request.schema.SchemaRequest;
 import org.apache.solr.client.solrj.response.schema.SchemaRepresentation;
 import org.springaicommunity.mcp.annotation.McpResource;
 import org.springaicommunity.mcp.annotation.McpTool;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 
 /**
@@ -249,6 +250,7 @@ public class SchemaService {
         * @see SchemaRequest
         * @see org.apache.solr.client.solrj.response.schema.SchemaResponse
         */
+       @PreAuthorize("isAuthenticated()")
        @McpTool(name = "get-schema", description = "Get schema for a Solr 
collection")
        public SchemaRepresentation getSchema(String collection) throws 
Exception {
                SchemaRequest schemaRequest = new SchemaRequest();

Reply via email to