adityamparikh opened a new pull request, #120: URL: https://github.com/apache/solr-mcp/pull/120
## Summary Adds `@PreAuthorize(\"isAuthenticated()\")` to four MCP tools that previously allowed anonymous access in HTTP mode (when security is enabled): - `CollectionService.listCollections` - `CollectionService.getCollectionStats` - `CollectionService.checkHealth` - `SchemaService.getSchema` These expose collection inventory, document counts, cache/handler stats, health, and schema fields — useful reconnaissance for an attacker probing the underlying Solr cluster. They were reachable anonymously because the `SecurityFilterChain` permits `/mcp` at the HTTP layer (matching the upstream [`spring-ai-community/mcp-security` "secured tools" sample](https://github.com/spring-ai-community/mcp-security/blob/main/samples/sample-mcp-server-secured-tools/src/main/java/org/springaicommunity/mcp/security/sample/server/securedtools/McpServerConfiguration.java), which relies entirely on `@PreAuthorize` for per-tool gating). The other tool methods (`search`, `index-*`, `create-collection`) already had this annotation. This is the canonical pattern from the upstream sample — the filter chain stays `permitAll` on `/mcp`, and method-level security gates each tool individually. ## Behavior - **STDIO mode**: no change. `MethodSecurityConfiguration` is `@Profile(\"http\")`, so the annotation is inert. - **HTTP mode with `http.security.enabled=false`**: no change. Method security bean isn't loaded. - **HTTP mode with `http.security.enabled=true`**: previously-anonymous tools now require a valid OAuth2 bearer token. This is the intended security model. ## Test plan - [x] `./gradlew spotlessApply` clean - [x] `./gradlew build` passes (unit + integration tests) - [ ] Manual verification with MCP Inspector: confirm tools return 401 when no token is sent and 200 with a valid token 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
