Package com.onec.mcp

Class McpPrincipalContext

java.lang.Object
com.onec.mcp.McpPrincipalContext
All Implemented Interfaces:
io.modelcontextprotocol.server.McpTransportContextExtractor<jakarta.servlet.http.HttpServletRequest>
public class McpPrincipalContext extends Object implements io.modelcontextprotocol.server.McpTransportContextExtractor<jakarta.servlet.http.HttpServletRequest>
Bridges the authenticated Spring Security principal into the MCP tool-call context.

The MCP servlet transport runs extract(jakarta.servlet.http.HttpServletRequest) on the servlet request thread, after the Spring Security filter chain has populated SecurityContextHolder for that request. We capture the Authentication there and stash it in the McpTransportContext, which the SDK propagates into the (possibly reactive) tool-call processing. Tool handlers then read it back via principal(McpSyncServerExchange) — never from the thread-local, which may not survive the hop to a Reactor scheduler thread.

This makes every tool execute as the connecting user, so the existing UiAccessService deny-by-default role checks apply unchanged.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    PRINCIPAL_KEY
    Key under which the captured Principal is stored in the transport context.

  • Constructor Summary

    Constructors
    Constructor
    Description
    McpPrincipalContext()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    io.modelcontextprotocol.common.McpTransportContext
    extract(jakarta.servlet.http.HttpServletRequest request)
     
    static Principal
    principal(io.modelcontextprotocol.server.McpSyncServerExchange exchange)
    Reads the authenticated principal captured for the current tool call, or null when the request was anonymous.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

  • Constructor Details

    • McpPrincipalContext

      public McpPrincipalContext()

  • Method Details

    • extract

      public io.modelcontextprotocol.common.McpTransportContext extract(jakarta.servlet.http.HttpServletRequest request)
      Specified by:
      extract in interface io.modelcontextprotocol.server.McpTransportContextExtractor<jakarta.servlet.http.HttpServletRequest>

    • principal

      public static Principal principal(io.modelcontextprotocol.server.McpSyncServerExchange exchange)
      Reads the authenticated principal captured for the current tool call, or null when the request was anonymous. A null principal is denied everything by UiAccessService (deny by default), which is the desired behavior.