diff --git a/README.md b/README.md index b0a425c..ec65edc 100644 --- a/README.md +++ b/README.md @@ -368,18 +368,6 @@ HTTP/SSE transport has the following security vulnerabilities when deployed with 4. **Network Exposure**: Unlike STDIO, HTTP endpoints are exposed over the network and accessible to any client that can reach the server -### Securing HTTP/SSE Deployments - -If you need to deploy the MCP server with HTTP/SSE transport for remote access, you **must** implement security -controls: - -1. **Use HTTPS**: Always use TLS/SSL encryption for production deployments -2. **Implement OAuth2 Authentication**: Follow - the [Spring AI MCP OAuth2 guide](https://spring.io/blog/2025/04/02/mcp-server-oauth2/) to add authentication -3. **Validate Origin Headers**: Implement origin header validation to prevent DNS rebinding attacks -4. **Network Isolation**: Deploy behind a firewall or VPN, restricting access to trusted networks -5. **Use API Gateways**: Consider deploying behind an API gateway with authentication and rate limiting - ### Recommendation - **Local development/testing**: Use HTTP/SSE mode for testing with MCP Inspector, but only on localhost diff --git a/build.gradle.kts b/build.gradle.kts index 3142832..71e35f6 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -29,7 +29,6 @@ repositories { } dependencies { - implementation("org.springframework.boot:spring-boot-starter-actuator") annotationProcessor(libs.spring.boot.configuration.processor) annotationProcessor(libs.lombok) @@ -37,11 +36,13 @@ dependencies { developmentOnly(libs.bundles.spring.boot.dev) - implementation(libs.spring.boot.starter.webflux) - implementation(libs.spring.ai.starter.mcp.server.webflux) + implementation(libs.spring.boot.starter.actuator) + implementation(libs.spring.boot.starter.web) + implementation(libs.spring.ai.starter.mcp.server.webmvc) implementation(libs.solr.solrj) { exclude(group = "org.apache.httpcomponents") } + implementation(libs.commons.csv) // JSpecify for nullability annotations implementation(libs.jspecify) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index cc0f3bc..4b516ad 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -23,8 +23,9 @@ testcontainers = "1.21.3" [libraries] # Spring -spring-boot-starter-webflux = { module = "org.springframework.boot:spring-boot-starter-webflux" } -spring-ai-starter-mcp-server-webflux = { module = "org.springframework.ai:spring-ai-starter-mcp-server-webflux" } +spring-boot-starter-actuator = { module = "org.springframework.boot:spring-boot-starter-actuator" } +spring-boot-starter-web = { module = "org.springframework.boot:spring-boot-starter-web" } +spring-ai-starter-mcp-server-webmvc = { module = "org.springframework.ai:spring-ai-starter-mcp-server-webmvc" } spring-ai-starter-mcp-client = { module = "org.springframework.ai:spring-ai-starter-mcp-client" } spring-ai-spring-boot-docker-compose = { module = "org.springframework.ai:spring-ai-spring-boot-docker-compose" } spring-ai-spring-boot-testcontainers = { module = "org.springframework.ai:spring-ai-spring-boot-testcontainers" } @@ -58,8 +59,8 @@ junit-platform-launcher = { module = "org.junit.platform:junit-platform-launcher [bundles] spring-ai-mcp = [ - "spring-boot-starter-webflux", - "spring-ai-starter-mcp-server-webflux" + "spring-boot-starter-web", + "spring-ai-starter-mcp-server-webmvc" ] spring-boot-dev = [ @@ -67,6 +68,7 @@ spring-boot-dev = [ "spring-ai-spring-boot-docker-compose" ] + test = [ "spring-boot-starter-test", "spring-boot-testcontainers", diff --git a/src/main/resources/application-sse.properties b/src/main/resources/application-sse.properties index 9451bf3..cc5c1ed 100644 --- a/src/main/resources/application-sse.properties +++ b/src/main/resources/application-sse.properties @@ -1,3 +1,2 @@ -spring.main.web-application-type=reactive -sever.port=8080 -spring.ai.mcp.server.type=async +spring.main.web-application-type=servlet +spring.ai.mcp.server.type=sync