adityamparikh opened a new pull request, #40:
URL: https://github.com/apache/solr-mcp/pull/40
## Summary
Add ability to disable OAuth2 security in HTTP mode for local development
and testing scenarios. Security can be toggled via `spring.security.enabled`
property:
- `spring.security.enabled=true` (or unset): Full OAuth2 authentication with
`@PreAuthorize` enforcement
- `spring.security.enabled=false`: All requests permitted, `@PreAuthorize`
annotations bypassed
## Changes
- **McpServerConfiguration.java**: Add `@ConditionalOnProperty` to
`SecurityFilterChain` beans; add new `unsecured()` filter chain
- **MethodSecurityConfiguration.java**: New file - extracts
`@EnableMethodSecurity` to separate class that's conditionally loaded
- **application-http.properties**: Add
`spring.security.enabled=${SECURITY_ENABLED:false}` property (defaults to
disabled for easier local testing)
## Usage
To enable security:
```bash
export SECURITY_ENABLED=true
export OAUTH2_ISSUER_URI=https://your-tenant.auth0.com/
./gradlew bootRun
```
To disable security (default):
```bash
./gradlew bootRun
```
## Test plan
- [ ] Run `./gradlew build` - verify tests pass
- [ ] Run with `PROFILES=http` and verify MCP Inspector works without auth
token
- [ ] Run with `PROFILES=http SECURITY_ENABLED=true OAUTH2_ISSUER_URI=...`
and verify auth is required
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
