diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/.mvn/wrapper/maven-wrapper.properties b/model-context-protocol/weather/starter-webmvc-oauth2-server/.mvn/wrapper/maven-wrapper.properties new file mode 100644 index 0000000..d58dfb7 --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/.mvn/wrapper/maven-wrapper.properties @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +wrapperVersion=3.3.2 +distributionType=only-script +distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/README.md b/model-context-protocol/weather/starter-webmvc-oauth2-server/README.md new file mode 100644 index 0000000..e8eed10 --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/README.md @@ -0,0 +1,50 @@ +# MCP with OAuth + +This sample demonstrates how to secure an MCP server using OAuth2, as per +the [MCP specification](https://spec.modelcontextprotocol.io/specification/2025-03-26/basic/authorization/). + +## Getting started + +Run the project with: + +``` +./mvnw spring-boot:run +``` + +Obtain a token by calling the `/oauth2/token` endpoint: + +```shell +curl -XPOST "http://localhost:8080/oauth2/token" \ + --data grant_type=client_credentials \ + --user "oidc-client:secret" +# And copy-paste the access token +# Or use JQ: +curl -XPOST "http://localhost:8080/oauth2/token" \ + --data grant_type=client_credentials \ + --user "oidc-client:secret" | jq -r ".access_token" +``` + +Store that token, and then boot up the MCP inspector: + +```shell +npx @modelcontextprotocol/inspector@0.6.0 +``` + +In the MCP inspector, paste your token. Click connect, and voilĂ ! + +![MCP inspector](./mcp-inspector.png) + +Note that the token is only valid for 5 minutes + +## Implementation considerations + +### Dependencies + +In Spring, OAuth2 Support for MCP server means adding: + +1. [Spring Security](https://docs.spring.io/spring-security/) (infrastructure for security) +2. [Spring Authorization Server](https://docs.spring.io/spring-authorization-server/) (issuing tokens) +3. [Spring Security: OAuth2 Resource Server](https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/index.html#page-title) ( + authentication using tokens) + +Note that Spring Auth Server does not support the reactive stack, so issuing tokens only works in Servlet. diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/mcp-inspector.png b/model-context-protocol/weather/starter-webmvc-oauth2-server/mcp-inspector.png new file mode 100644 index 0000000..4456c09 Binary files /dev/null and b/model-context-protocol/weather/starter-webmvc-oauth2-server/mcp-inspector.png differ diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/mvnw b/model-context-protocol/weather/starter-webmvc-oauth2-server/mvnw new file mode 100755 index 0000000..19529dd --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/mvnw @@ -0,0 +1,259 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Apache Maven Wrapper startup batch script, version 3.3.2 +# +# Optional ENV vars +# ----------------- +# JAVA_HOME - location of a JDK home dir, required when download maven via java source +# MVNW_REPOURL - repo url base for downloading maven distribution +# MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven +# MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output +# ---------------------------------------------------------------------------- + +set -euf +[ "${MVNW_VERBOSE-}" != debug ] || set -x + +# OS specific support. +native_path() { printf %s\\n "$1"; } +case "$(uname)" in +CYGWIN* | MINGW*) + [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")" + native_path() { cygpath --path --windows "$1"; } + ;; +esac + +# set JAVACMD and JAVACCMD +set_java_home() { + # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched + if [ -n "${JAVA_HOME-}" ]; then + if [ -x "$JAVA_HOME/jre/sh/java" ]; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACCMD="$JAVA_HOME/jre/sh/javac" + else + JAVACMD="$JAVA_HOME/bin/java" + JAVACCMD="$JAVA_HOME/bin/javac" + + if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ]; then + echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2 + echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2 + return 1 + fi + fi + else + JAVACMD="$( + 'set' +e + 'unset' -f command 2>/dev/null + 'command' -v java + )" || : + JAVACCMD="$( + 'set' +e + 'unset' -f command 2>/dev/null + 'command' -v javac + )" || : + + if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ]; then + echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2 + return 1 + fi + fi +} + +# hash string like Java String::hashCode +hash_string() { + str="${1:-}" h=0 + while [ -n "$str" ]; do + char="${str%"${str#?}"}" + h=$(((h * 31 + $(LC_CTYPE=C printf %d "'$char")) % 4294967296)) + str="${str#?}" + done + printf %x\\n $h +} + +verbose() { :; } +[ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; } + +die() { + printf %s\\n "$1" >&2 + exit 1 +} + +trim() { + # MWRAPPER-139: + # Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds. + # Needed for removing poorly interpreted newline sequences when running in more + # exotic environments such as mingw bash on Windows. + printf "%s" "${1}" | tr -d '[:space:]' +} + +# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties +while IFS="=" read -r key value; do + case "${key-}" in + distributionUrl) distributionUrl=$(trim "${value-}") ;; + distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;; + esac +done <"${0%/*}/.mvn/wrapper/maven-wrapper.properties" +[ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in ${0%/*}/.mvn/wrapper/maven-wrapper.properties" + +case "${distributionUrl##*/}" in +maven-mvnd-*bin.*) + MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ + case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in + *AMD64:CYGWIN* | *AMD64:MINGW*) distributionPlatform=windows-amd64 ;; + :Darwin*x86_64) distributionPlatform=darwin-amd64 ;; + :Darwin*arm64) distributionPlatform=darwin-aarch64 ;; + :Linux*x86_64*) distributionPlatform=linux-amd64 ;; + *) + echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2 + distributionPlatform=linux-amd64 + ;; + esac + distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip" + ;; +maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;; +*) MVN_CMD="mvn${0##*/mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;; +esac + +# apply MVNW_REPOURL and calculate MAVEN_HOME +# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ +[ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}" +distributionUrlName="${distributionUrl##*/}" +distributionUrlNameMain="${distributionUrlName%.*}" +distributionUrlNameMain="${distributionUrlNameMain%-bin}" +MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}" +MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" + +exec_maven() { + unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || : + exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD" +} + +if [ -d "$MAVEN_HOME" ]; then + verbose "found existing MAVEN_HOME at $MAVEN_HOME" + exec_maven "$@" +fi + +case "${distributionUrl-}" in +*?-bin.zip | *?maven-mvnd-?*-?*.zip) ;; +*) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;; +esac + +# prepare tmp dir +if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then + clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; } + trap clean HUP INT TERM EXIT +else + die "cannot create temp dir" +fi + +mkdir -p -- "${MAVEN_HOME%/*}" + +# Download and Install Apache Maven +verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." +verbose "Downloading from: $distributionUrl" +verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" + +# select .zip or .tar.gz +if ! command -v unzip >/dev/null; then + distributionUrl="${distributionUrl%.zip}.tar.gz" + distributionUrlName="${distributionUrl##*/}" +fi + +# verbose opt +__MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR='' +[ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v + +# normalize http auth +case "${MVNW_PASSWORD:+has-password}" in +'') MVNW_USERNAME='' MVNW_PASSWORD='' ;; +has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;; +esac + +if [ -z "${MVNW_USERNAME-}" ] && command -v wget >/dev/null; then + verbose "Found wget ... using wget" + wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" || die "wget: Failed to fetch $distributionUrl" +elif [ -z "${MVNW_USERNAME-}" ] && command -v curl >/dev/null; then + verbose "Found curl ... using curl" + curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" || die "curl: Failed to fetch $distributionUrl" +elif set_java_home; then + verbose "Falling back to use Java to download" + javaSource="$TMP_DOWNLOAD_DIR/Downloader.java" + targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName" + cat >"$javaSource" <<-END + public class Downloader extends java.net.Authenticator + { + protected java.net.PasswordAuthentication getPasswordAuthentication() + { + return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() ); + } + public static void main( String[] args ) throws Exception + { + setDefault( new Downloader() ); + java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() ); + } + } + END + # For Cygwin/MinGW, switch paths to Windows format before running javac and java + verbose " - Compiling Downloader.java ..." + "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java" + verbose " - Running Downloader.java ..." + "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")" +fi + +# If specified, validate the SHA-256 sum of the Maven distribution zip file +if [ -n "${distributionSha256Sum-}" ]; then + distributionSha256Result=false + if [ "$MVN_CMD" = mvnd.sh ]; then + echo "Checksum validation is not supported for maven-mvnd." >&2 + echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 + exit 1 + elif command -v sha256sum >/dev/null; then + if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c >/dev/null 2>&1; then + distributionSha256Result=true + fi + elif command -v shasum >/dev/null; then + if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c >/dev/null 2>&1; then + distributionSha256Result=true + fi + else + echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2 + echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 + exit 1 + fi + if [ $distributionSha256Result = false ]; then + echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2 + echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2 + exit 1 + fi +fi + +# unzip and move +if command -v unzip >/dev/null; then + unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip" +else + tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar" +fi +printf %s\\n "$distributionUrl" >"$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/mvnw.url" +mv -- "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME" + +clean || : +exec_maven "$@" diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/mvnw.cmd b/model-context-protocol/weather/starter-webmvc-oauth2-server/mvnw.cmd new file mode 100644 index 0000000..b150b91 --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/mvnw.cmd @@ -0,0 +1,149 @@ +<# : batch portion +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM http://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Apache Maven Wrapper startup batch script, version 3.3.2 +@REM +@REM Optional ENV vars +@REM MVNW_REPOURL - repo url base for downloading maven distribution +@REM MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven +@REM MVNW_VERBOSE - true: enable verbose log; others: silence the output +@REM ---------------------------------------------------------------------------- + +@IF "%__MVNW_ARG0_NAME__%"=="" (SET __MVNW_ARG0_NAME__=%~nx0) +@SET __MVNW_CMD__= +@SET __MVNW_ERROR__= +@SET __MVNW_PSMODULEP_SAVE=%PSModulePath% +@SET PSModulePath= +@FOR /F "usebackq tokens=1* delims==" %%A IN (`powershell -noprofile "& {$scriptDir='%~dp0'; $script='%__MVNW_ARG0_NAME__%'; icm -ScriptBlock ([Scriptblock]::Create((Get-Content -Raw '%~f0'))) -NoNewScope}"`) DO @( + IF "%%A"=="MVN_CMD" (set __MVNW_CMD__=%%B) ELSE IF "%%B"=="" (echo %%A) ELSE (echo %%A=%%B) +) +@SET PSModulePath=%__MVNW_PSMODULEP_SAVE% +@SET __MVNW_PSMODULEP_SAVE= +@SET __MVNW_ARG0_NAME__= +@SET MVNW_USERNAME= +@SET MVNW_PASSWORD= +@IF NOT "%__MVNW_CMD__%"=="" (%__MVNW_CMD__% %*) +@echo Cannot start maven from wrapper >&2 && exit /b 1 +@GOTO :EOF +: end batch / begin powershell #> + +$ErrorActionPreference = "Stop" +if ($env:MVNW_VERBOSE -eq "true") { + $VerbosePreference = "Continue" +} + +# calculate distributionUrl, requires .mvn/wrapper/maven-wrapper.properties +$distributionUrl = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionUrl +if (!$distributionUrl) { + Write-Error "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties" +} + +switch -wildcard -casesensitive ( $($distributionUrl -replace '^.*/','') ) { + "maven-mvnd-*" { + $USE_MVND = $true + $distributionUrl = $distributionUrl -replace '-bin\.[^.]*$',"-windows-amd64.zip" + $MVN_CMD = "mvnd.cmd" + break + } + default { + $USE_MVND = $false + $MVN_CMD = $script -replace '^mvnw','mvn' + break + } +} + +# apply MVNW_REPOURL and calculate MAVEN_HOME +# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ +if ($env:MVNW_REPOURL) { + $MVNW_REPO_PATTERN = if ($USE_MVND) { "/org/apache/maven/" } else { "/maven/mvnd/" } + $distributionUrl = "$env:MVNW_REPOURL$MVNW_REPO_PATTERN$($distributionUrl -replace '^.*'+$MVNW_REPO_PATTERN,'')" +} +$distributionUrlName = $distributionUrl -replace '^.*/','' +$distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$','' +$MAVEN_HOME_PARENT = "$HOME/.m2/wrapper/dists/$distributionUrlNameMain" +if ($env:MAVEN_USER_HOME) { + $MAVEN_HOME_PARENT = "$env:MAVEN_USER_HOME/wrapper/dists/$distributionUrlNameMain" +} +$MAVEN_HOME_NAME = ([System.Security.Cryptography.MD5]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join '' +$MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME" + +if (Test-Path -Path "$MAVEN_HOME" -PathType Container) { + Write-Verbose "found existing MAVEN_HOME at $MAVEN_HOME" + Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" + exit $? +} + +if (! $distributionUrlNameMain -or ($distributionUrlName -eq $distributionUrlNameMain)) { + Write-Error "distributionUrl is not valid, must end with *-bin.zip, but found $distributionUrl" +} + +# prepare tmp dir +$TMP_DOWNLOAD_DIR_HOLDER = New-TemporaryFile +$TMP_DOWNLOAD_DIR = New-Item -Itemtype Directory -Path "$TMP_DOWNLOAD_DIR_HOLDER.dir" +$TMP_DOWNLOAD_DIR_HOLDER.Delete() | Out-Null +trap { + if ($TMP_DOWNLOAD_DIR.Exists) { + try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } + catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } + } +} + +New-Item -Itemtype Directory -Path "$MAVEN_HOME_PARENT" -Force | Out-Null + +# Download and Install Apache Maven +Write-Verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." +Write-Verbose "Downloading from: $distributionUrl" +Write-Verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" + +$webclient = New-Object System.Net.WebClient +if ($env:MVNW_USERNAME -and $env:MVNW_PASSWORD) { + $webclient.Credentials = New-Object System.Net.NetworkCredential($env:MVNW_USERNAME, $env:MVNW_PASSWORD) +} +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +$webclient.DownloadFile($distributionUrl, "$TMP_DOWNLOAD_DIR/$distributionUrlName") | Out-Null + +# If specified, validate the SHA-256 sum of the Maven distribution zip file +$distributionSha256Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha256Sum +if ($distributionSha256Sum) { + if ($USE_MVND) { + Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." + } + Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash + if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA256).Hash.ToLower() -ne $distributionSha256Sum) { + Write-Error "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha256Sum property." + } +} + +# unzip and move +Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null +Rename-Item -Path "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" -NewName $MAVEN_HOME_NAME | Out-Null +try { + Move-Item -Path "$TMP_DOWNLOAD_DIR/$MAVEN_HOME_NAME" -Destination $MAVEN_HOME_PARENT | Out-Null +} catch { + if (! (Test-Path -Path "$MAVEN_HOME" -PathType Container)) { + Write-Error "fail to move MAVEN_HOME" + } +} finally { + try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } + catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } +} + +Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/pom.xml b/model-context-protocol/weather/starter-webmvc-oauth2-server/pom.xml new file mode 100644 index 0000000..0807d0d --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/pom.xml @@ -0,0 +1,93 @@ + + + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 3.4.3 + + + + com.example + + mcp-weather-starter-webmvc-oauth2-server + 0.0.1-SNAPSHOT + + Spring AI MCP Weather Sample + Sample Spring Boot application demonstrating MCP Server usage with OAuth2 authorization + + + + + org.springframework.ai + spring-ai-bom + 1.0.0-SNAPSHOT + pom + import + + + + + + + org.springframework.ai + spring-ai-starter-mcp-server-webmvc + + + org.springframework.boot + spring-boot-starter-oauth2-resource-server + + + org.springframework.boot + spring-boot-starter-oauth2-authorization-server + + + + org.springframework.boot + spring-boot-starter-test + test + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + + + + Central Portal Snapshots + central-portal-snapshots + https://central.sonatype.com/repository/maven-snapshots/ + + false + + + true + + + + spring-milestones + Spring Milestones + https://repo.spring.io/milestone + + false + + + + spring-snapshots + Spring Snapshots + https://repo.spring.io/snapshot + + false + + + + + \ No newline at end of file diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/McpServerApplication.java b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/McpServerApplication.java new file mode 100644 index 0000000..a6decee --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/McpServerApplication.java @@ -0,0 +1,49 @@ +/* + * Copyright 2024 - 2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.ai.mcp.sample.server; + +import org.springframework.ai.tool.ToolCallback; +import org.springframework.ai.tool.ToolCallbackProvider; +import org.springframework.ai.tool.function.FunctionToolCallback; +import org.springframework.ai.tool.method.MethodToolCallbackProvider; +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.context.annotation.Bean; + +@SpringBootApplication +public class McpServerApplication { + + public static void main(String[] args) { + SpringApplication.run(McpServerApplication.class, args); + } + + @Bean + public ToolCallbackProvider weatherTools(WeatherService weatherService) { + return MethodToolCallbackProvider.builder().toolObjects(weatherService).build(); + } + + public record TextInput(String input) { + } + + @Bean + public ToolCallback toUpperCase() { + return FunctionToolCallback.builder("toUpperCase", (TextInput input) -> input.input().toUpperCase()) + .inputType(TextInput.class) + .description("Put the text to upper case") + .build(); + } + +} diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/SecurityConfiguration.java b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/SecurityConfiguration.java new file mode 100644 index 0000000..db2f5f0 --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/SecurityConfiguration.java @@ -0,0 +1,41 @@ +/* + * Copyright 2025 - 2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.ai.mcp.sample.server; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer; +import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer.authorizationServer; + +@Configuration +@EnableWebSecurity +class SecurityConfiguration { + + @Bean + SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + return http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) + .with(authorizationServer(), Customizer.withDefaults()) + .oauth2ResourceServer(resource -> resource.jwt(Customizer.withDefaults())) + .csrf(CsrfConfigurer::disable) + .cors(Customizer.withDefaults()) + .build(); + } + +} diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/WeatherService.java b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/WeatherService.java new file mode 100644 index 0000000..8a243eb --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/java/org/springframework/ai/mcp/sample/server/WeatherService.java @@ -0,0 +1,145 @@ +/* +* Copyright 2024 - 2025 the original author or authors. +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* https://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ +package org.springframework.ai.mcp.sample.server; + +import java.util.List; +import java.util.Map; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; + +import org.springframework.ai.tool.annotation.Tool; +import org.springframework.stereotype.Service; +import org.springframework.web.client.RestClient; +import org.springframework.web.client.RestClientException; + +@Service +public class WeatherService { + + private static final String BASE_URL = "https://api.weather.gov"; + + private final RestClient restClient; + + public WeatherService() { + + this.restClient = RestClient.builder() + .baseUrl(BASE_URL) + .defaultHeader("Accept", "application/geo+json") + .defaultHeader("User-Agent", "WeatherApiClient/1.0 (your@email.com)") + .build(); + } + + @JsonIgnoreProperties(ignoreUnknown = true) + public record Points(@JsonProperty("properties") Props properties) { + @JsonIgnoreProperties(ignoreUnknown = true) + public record Props(@JsonProperty("forecast") String forecast) { + } + } + + @JsonIgnoreProperties(ignoreUnknown = true) + public record Forecast(@JsonProperty("properties") Props properties) { + @JsonIgnoreProperties(ignoreUnknown = true) + public record Props(@JsonProperty("periods") List periods) { + } + + @JsonIgnoreProperties(ignoreUnknown = true) + public record Period(@JsonProperty("number") Integer number, @JsonProperty("name") String name, + @JsonProperty("startTime") String startTime, @JsonProperty("endTime") String endTime, + @JsonProperty("isDaytime") Boolean isDayTime, @JsonProperty("temperature") Integer temperature, + @JsonProperty("temperatureUnit") String temperatureUnit, + @JsonProperty("temperatureTrend") String temperatureTrend, + @JsonProperty("probabilityOfPrecipitation") Map probabilityOfPrecipitation, + @JsonProperty("windSpeed") String windSpeed, @JsonProperty("windDirection") String windDirection, + @JsonProperty("icon") String icon, @JsonProperty("shortForecast") String shortForecast, + @JsonProperty("detailedForecast") String detailedForecast) { + } + } + + @JsonIgnoreProperties(ignoreUnknown = true) + public record Alert(@JsonProperty("features") List features) { + + @JsonIgnoreProperties(ignoreUnknown = true) + public record Feature(@JsonProperty("properties") Properties properties) { + } + + @JsonIgnoreProperties(ignoreUnknown = true) + public record Properties(@JsonProperty("event") String event, @JsonProperty("areaDesc") String areaDesc, + @JsonProperty("severity") String severity, @JsonProperty("description") String description, + @JsonProperty("instruction") String instruction) { + } + } + + /** + * Get forecast for a specific latitude/longitude + * @param latitude Latitude + * @param longitude Longitude + * @return The forecast for the given location + * @throws RestClientException if the request fails + */ + @Tool(description = "Get weather forecast for a specific latitude/longitude") + public String getWeatherForecastByLocation(double latitude, double longitude) { + + var points = restClient.get() + .uri("/points/{latitude},{longitude}", latitude, longitude) + .retrieve() + .body(Points.class); + + var forecast = restClient.get().uri(points.properties().forecast()).retrieve().body(Forecast.class); + + String forecastText = forecast.properties().periods().stream().map(p -> { + return String.format(""" + %s: + Temperature: %s %s + Wind: %s %s + Forecast: %s + """, p.name(), p.temperature(), p.temperatureUnit(), p.windSpeed(), p.windDirection(), + p.detailedForecast()); + }).collect(Collectors.joining()); + + return forecastText; + } + + /** + * Get alerts for a specific area + * @param state Area code. Two-letter US state code (e.g. CA, NY) + * @return Human readable alert information + * @throws RestClientException if the request fails + */ + @Tool(description = "Get weather alerts for a US state. Input is Two-letter US state code (e.g. CA, NY)") + public String getAlerts(String state) { + Alert alert = restClient.get().uri("/alerts/active/area/{state}", state).retrieve().body(Alert.class); + + return alert.features() + .stream() + .map(f -> String.format(""" + Event: %s + Area: %s + Severity: %s + Description: %s + Instructions: %s + """, f.properties().event(), f.properties.areaDesc(), f.properties.severity(), + f.properties.description(), f.properties.instruction())) + .collect(Collectors.joining("\n")); + } + + public static void main(String[] args) { + WeatherService client = new WeatherService(); + System.out.println(client.getWeatherForecastByLocation(47.6062, -122.3321)); + System.out.println(client.getAlerts("NY")); + } + +} \ No newline at end of file diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/resources/application.properties b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/resources/application.properties new file mode 100644 index 0000000..8abf4bd --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/main/resources/application.properties @@ -0,0 +1,24 @@ +# spring.main.web-application-type=none + +# NOTE: You must disable the banner and the console logging +# to allow the STDIO transport to work !!! +spring.main.banner-mode=off +# logging.pattern.console= + +# spring.ai.mcp.server.stdio=false + +spring.ai.mcp.server.name=my-weather-server +spring.ai.mcp.server.sse-message-endpoint=/mcp/message +spring.ai.mcp.server.version=0.0.1 + +spring.security.oauth2.authorizationserver.client.oidc-client.registration.client-id=mcp-client +spring.security.oauth2.authorizationserver.client.oidc-client.registration.client-secret={noop}secret +spring.security.oauth2.authorizationserver.client.oidc-client.registration.client-authentication-methods=client_secret_basic +spring.security.oauth2.authorizationserver.client.oidc-client.registration.authorization-grant-types=client_credentials + +logging.file.name=./model-context-protocol/weather/starter-webmvc-server/target/starter-webmvc-server.log + +# Avoid clobbering the default JSESSIONID cookie for other apps when running on localhost +server.servlet.session.cookie.name=WEATHER_MCP_SERVER_SESSION + +logging.level.org.springframework.security=TRACE \ No newline at end of file diff --git a/model-context-protocol/weather/starter-webmvc-oauth2-server/src/test/java/org/springframework/ai/mcp/sample/server/McpServerApplicationTests.java b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/test/java/org/springframework/ai/mcp/sample/server/McpServerApplicationTests.java new file mode 100644 index 0000000..831039b --- /dev/null +++ b/model-context-protocol/weather/starter-webmvc-oauth2-server/src/test/java/org/springframework/ai/mcp/sample/server/McpServerApplicationTests.java @@ -0,0 +1,108 @@ +/* + * Copyright 2025 - 2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.ai.mcp.sample.server; + +import com.fasterxml.jackson.databind.ObjectMapper; +import java.io.IOException; +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.nio.charset.StandardCharsets; +import java.time.Duration; +import java.util.Base64; +import java.util.Map; +import java.util.concurrent.atomic.AtomicInteger; +import org.junit.jupiter.api.Test; + +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.web.server.LocalServerPort; +import static java.net.http.HttpRequest.BodyPublishers.ofString; +import static org.assertj.core.api.Assertions.assertThat; +import static org.awaitility.Awaitility.await; + +/** + * @author Daniel Garnier-Moiroux + */ +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, properties = "server.shutdown=immediate") +class McpServerApplicationTests { + + @LocalServerPort + private int port; + + private final ObjectMapper objectMapper = new ObjectMapper(); + + @Test + void whenTokenThenConnects() throws IOException, InterruptedException { + var accessToken = obtainAccessToken(); + + var client = HttpClient.newHttpClient(); + + var request = HttpRequest.newBuilder() + .uri(URI.create("http://localhost:" + port + "/sse")) + .header("Accept", "text/event-stream") + .header("Authorization", "Bearer " + accessToken) + .GET() + .build(); + + var responseCode = new AtomicInteger(-1); + var sseRequest = client.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()).thenApply(response -> { + responseCode.set(response.statusCode()); + if (response.statusCode() == 200) { + return response; + } + else { + throw new RuntimeException("Failed to connect to SSE endpoint: " + response.statusCode()); + } + }); + + await().atMost(Duration.ofSeconds(1)).until(sseRequest::isDone); + assertThat(sseRequest).isCompleted(); + assertThat(responseCode).hasValue(200); + } + + @Test + void whenNoTokenThenFails() throws IOException, InterruptedException { + var client = HttpClient.newHttpClient(); + var request = HttpRequest.newBuilder() + .uri(URI.create("http://localhost:" + port + "/sse")) + .header("Accept", "text/event-stream") + .GET() + .build(); + + var response = client.send(request, HttpResponse.BodyHandlers.discarding()).statusCode(); + assertThat(response).isEqualTo(401); + } + + private String obtainAccessToken() throws IOException, InterruptedException { + var client = HttpClient.newHttpClient(); + + var clearTextCredentials = "mcp-client:secret".getBytes(StandardCharsets.UTF_8); + var credentials = new String(Base64.getUrlEncoder().encode(clearTextCredentials)); + var request = HttpRequest.newBuilder() + .uri(URI.create("http://localhost:" + port + "/oauth2/token")) + .header("Authorization", "Basic " + credentials) + .header("Content-Type", "application/x-www-form-urlencoded") + .POST(ofString("grant_type=client_credentials")) + .build(); + + var rawResponse = client.send(request, HttpResponse.BodyHandlers.ofString()).body(); + + Map response = objectMapper.readValue(rawResponse, Map.class); + return response.get("access_token"); + } + +}