Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feature: add MCP custom configuration and authentication code #7876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
funky-eyes merged 19 commits into from
Dec 23, 2025
Merged

feature: add MCP custom configuration and authentication code #7876

funky-eyes merged 19 commits into from
Dec 23, 2025

Conversation

@Xb2555
Copy link
Contributor

@Xb2555 Xb2555 commented Dec 19, 2025

Ⅰ. Describe what this PR did

  1. Add configuration file attributes related to MCP

  2. Implement authentication for request paths related to MCP

Ⅱ. Does this pull request fix one issue?

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

@codecov
Copy link

codecov bot commented Dec 19, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.12%. Comparing base (4593c46) to head (be1268e).
⚠️ Report is 1 commits behind head on 2.x.

Additional details and impacted files 
@@             Coverage Diff              @@
##                2.x    #7876      +/-   ##
============================================
+ Coverage     71.11%   71.12%   +0.01%     
  Complexity      797      797              
============================================
  Files          1300     1300              
  Lines         49601    49601              
  Branches       5875     5875              
============================================
+ Hits          35274    35281       +7     
+ Misses        11406    11403       -3     
+ Partials       2921     2917       -4

see 8 files with indirect coverage changes

Impacted file tree graph

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@xjlgod xjlgod requested a review from Copilot December 20, 2025 09:20
@xjlgod
Copy link
Contributor

xjlgod commented Dec 20, 2025

Has the previous MCP-related content been merged, or should we merge this one first?

xjlgod
xjlgod reviewed Dec 20, 2025
View reviewed changes
console/src/main/java/org/apache/seata/console/config/WebSecurityConfig.java Outdated
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
RequestMatcher[] ignoredMatchers = buildAntMatchers(env.getProperty("seata.security.ignore.urls", "/**"));
StringBuilder ignoreURLs = new StringBuilder(env.getProperty("seata.security.ignore.urls", "/**"));
Copy link
Contributor

@xjlgod xjlgod Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we can use string joiner

Copy link
Contributor Author

@Xb2555 Xb2555 Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried before. The path that needs to be ignored directly passed in as a string cannot be configured correctly. It needs to be converted to the RequestMatcher array (it might be a problem with the new version of security).

Copilot AI reviewed Dec 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Model Context Protocol (MCP) server support to the Seata console by introducing custom configuration properties and authentication mechanisms for MCP endpoints.

Key Changes:

  • Added MCP server configuration properties in application.yml including protocol type, endpoints, query duration limits, and authentication settings
  • Implemented MCPProperties class to manage MCP configuration with support for both SSE and streamable HTTP protocols
  • Created MCPAuthenticationFilter to handle username/password authentication via custom HTTP headers for MCP endpoints

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 12 comments.

Show a summary per file
File Description
namingserver/src/main/resources/application.yml Adds MCP server configuration including protocol settings, endpoints, query duration limit, and authentication toggle
console/src/main/java/org/apache/seata/mcp/core/props/MCPProperties.java New properties class that loads and manages MCP configuration from environment, supporting both SSE and streamable protocols
console/src/main/java/org/apache/seata/console/filter/MCPAuthenticationFilter.java New authentication filter that extracts credentials from custom headers and validates them using Spring Security
console/src/main/java/org/apache/seata/console/config/WebSecurityConfig.java Updates security configuration to add MCP endpoints to ignore and CSRF ignore lists
console/src/main/java/org/apache/seata/console/config/MCPFiltersConfig.java Registers the MCP authentication filter and conditionally enables it based on configuration
changes/zh-cn/2.x.md Documents the feature addition in Chinese changelog
changes/en-us/2.x.md Documents the feature addition in English changelog
Comments suppressed due to low confidence (1)

console/src/main/java/org/apache/seata/console/config/WebSecurityConfig.java:117

  • The MCP endpoints are being added to both the ignore URLs and CSRF ignore URLs. However, there's a logical conflict: if endpoints are in the ignore URLs list (which bypasses all security), they won't reach the MCPAuthenticationFilter that's registered in MCPFiltersConfig. This means authentication will never be enforced for MCP endpoints, even when seata.mcp.auth.enabled is true. Either remove MCP endpoints from the ignore list or reconsider the authentication strategy.
        StringBuilder ignoreURLs = new StringBuilder(env.getProperty("seata.security.ignore.urls", "/**"));
        List<String> mcpEndpoints = mcpProperties.getEndpoints();
        for (String endpoint : mcpEndpoints) {
            ignoreURLs.append(",").append(endpoint);
        }
        RequestMatcher[] ignoredMatchers =
                buildAntMatchers(ignoreURLs.toString().trim());
        return web -> {
            if (ignoredMatchers.length > 0) {
                web.ignoring().requestMatchers(ignoredMatchers);
            }
        };

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Xb2555
Copy link
Contributor Author

Xb2555 commented Dec 20, 2025

Has the previous MCP-related content been merged, or should we merge this one first?

Previously, only the dependencies related to MCP were introduced. Now, this PR introduces the MCP security configuration and custom parameter configuration. It can be directly merged in without any impact.

xjlgod
xjlgod approved these changes Dec 20, 2025
View reviewed changes
Copy link
Contributor

@xjlgod xjlgod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

funky-eyes
funky-eyes reviewed Dec 22, 2025
View reviewed changes
@funky-eyes funky-eyes requested a review from Copilot December 23, 2025 03:26
Copilot AI reviewed Dec 23, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

console/src/main/java/org/apache/seata/console/config/WebSecurityConfig.java
Comment on lines 109 to 115
StringBuilder ignoreURLsBuilder = new StringBuilder(ignoreURLs);
List<String> mcpEndpoints = mcpProperties.getEndpoints();
for (String endpoint : mcpEndpoints) {
ignoreURLsBuilder.append(",").append(endpoint);
}
RequestMatcher[] ignoredMatchers =
buildAntMatchers(ignoreURLsBuilder.toString().trim());
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The MCP endpoints are being added to the security ignore list, which means Spring Security will completely bypass authentication for these endpoints. This conflicts with the purpose of MCPAuthenticationFilter which is meant to authenticate MCP requests. When endpoints are in the ignore list, they never reach any security filters. The MCPAuthenticationFilter registered in MCPFiltersConfig will not be invoked for these URLs. Remove the code that adds MCP endpoints to the ignore list if authentication is required for these endpoints.

Suggested change
StringBuilder ignoreURLsBuilder = new StringBuilder(ignoreURLs);
List<String> mcpEndpoints = mcpProperties.getEndpoints();
for (String endpoint : mcpEndpoints) {
ignoreURLsBuilder.append(",").append(endpoint);
}
RequestMatcher[] ignoredMatchers =
buildAntMatchers(ignoreURLsBuilder.toString().trim());
RequestMatcher[] ignoredMatchers =
buildAntMatchers(ignoreURLs.trim());

Copilot uses AI. Check for mistakes.
@funky-eyes funky-eyes requested a review from Copilot December 23, 2025 06:30
Copilot AI reviewed Dec 23, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@funky-eyes funky-eyes added this to the 2.6.0 milestone Dec 23, 2025
@funky-eyes funky-eyes added type: feature Category issues or prs related to feature request. module/namingserver labels Dec 23, 2025
funky-eyes
funky-eyes approved these changes Dec 23, 2025
View reviewed changes
Copy link
Contributor

@funky-eyes funky-eyes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@funky-eyes funky-eyes merged commit ece45ac into apache:2.x Dec 23, 2025
11 checks passed
@Xb2555 Xb2555 deleted the feature_mcp_core branch December 23, 2025 11:46
YvCeung pushed a commit to YvCeung/incubator-seata that referenced this pull request Dec 25, 2025
@Xb2555
feature: add MCP custom configuration and authentication code (apache…
cd7fb99 
…#7876)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@funky-eyes funky-eyes funky-eyes approved these changes

@xjlgod xjlgod xjlgod approved these changes

Assignees

No one assigned

Labels

module/console module/namingserver type: feature Category issues or prs related to feature request.

Projects

None yet

Milestone

2.6.0

Development

Successfully merging this pull request may close these issues.

3 participants

@Xb2555 @xjlgod @funky-eyes