Skip to content

fix: accept header accessor function in ServerTransportSecurityValidator#982

Open
neerajbhatt wants to merge 1 commit into
modelcontextprotocol:mainfrom
neerajbhatt:fix/870-security-validator-header-accessor
Open

fix: accept header accessor function in ServerTransportSecurityValidator#982
neerajbhatt wants to merge 1 commit into
modelcontextprotocol:mainfrom
neerajbhatt:fix/870-security-validator-header-accessor

Conversation

@neerajbhatt
Copy link
Copy Markdown

@neerajbhatt neerajbhatt commented May 24, 2026

Summary

  • Replace Map<String, List<String>> parameter with Function<String, List<String>> in ServerTransportSecurityValidator.validateHeaders(), as proposed in ServerTransportSecurityValidator accepts an accessor function for header #870
  • This avoids extracting all headers upfront and delegates case-insensitive header matching to the underlying request (e.g. HttpServletRequest.getHeaders is case-insensitive per the Servlet spec)
  • Remove HttpServletRequestUtils utility class (no longer needed)

Changes

  • ServerTransportSecurityValidatorvalidateHeaders(Function<String, List<String>> headerAccessor)
  • DefaultServerTransportSecurityValidator — directly queries Origin and Host via accessor instead of iterating all headers
  • 3 servlet transports — pass name -> Collections.list(request.getHeaders(name)) instead of extractHeaders(request)
  • Unit tests — updated to use accessor-based API

Test plan

  • All 39 DefaultServerTransportSecurityValidatorTests pass
  • ServerTransportSecurityIntegrationTests pass (1 pre-existing flaky retry on messageOriginNotAllowed)
  • CI pipeline passes

Closes #870

@neerajbhatt
fix: accept header accessor function in ServerTransportSecurityValidator
590c6c3 
Replace Map<String, List<String>> parameter with
Function<String, List<String>> in validateHeaders(), allowing callers
to pass a header accessor instead of extracting all headers upfront.

This is more efficient (only requested headers are looked up) and
delegates case-insensitive header matching to the underlying request
implementation (e.g. HttpServletRequest.getHeaders).

- Update DefaultServerTransportSecurityValidator to use the accessor
  directly for Origin and Host headers
- Update all three servlet transport providers to pass
  name -> Collections.list(request.getHeaders(name))
- Remove HttpServletRequestUtils (no longer needed)
- Update unit tests to use accessor-based API

Closes modelcontextprotocol#870
@Kehrlann
Copy link
Copy Markdown
Contributor

Kehrlann commented May 26, 2026

The proposed changed would be breaking. The original ServerTransportSecurityValidator has been shipped in a previous major. If you'd to contribute this, we need a deprecation path.

@Kehrlann Kehrlann self-assigned this May 26, 2026
@Kehrlann Kehrlann added area/server waiting for user Waiting for user feedback or more details enhancement New feature or request P2 Moderate issues affecting some users, edge cases, potentially valuable feature labels May 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Kehrlann Kehrlann

Labels

area/server enhancement New feature or request P2 Moderate issues affecting some users, edge cases, potentially valuable feature waiting for user Waiting for user feedback or more details

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ServerTransportSecurityValidator accepts an accessor function for header

2 participants

@neerajbhatt @Kehrlann