mcp-server: added servlet context to resource_metadata header (#22)

Author: fmgit00

mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/oauth2/authentication/BearerResourceMetadataTokenAuthenticationEntryPoint.java

@@ -63,7 +63,8 @@ public void commence(HttpServletRequest request, HttpServletResponse response,
 
 	private String buildResourceMetadataPath(HttpServletRequest request, ResourceIdentifier resourceIdentifier) {
 		return UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(request))
-			.replacePath("/.well-known/oauth-protected-resource" + resourceIdentifier.getPath())
+			.replacePath(
+					request.getContextPath() + "/.well-known/oauth-protected-resource" + resourceIdentifier.getPath())
 			.replaceQuery(null)
 			.fragment(null)
 			.toUriString();

mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/oauth2/metadata/ResourceIdentifier.java

@@ -43,7 +43,7 @@ public String getResource() {
 		var request = requestAttributes.getRequest();
 
 		return UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(request))
-			.replacePath(this.getPath())
+			.replacePath(request.getContextPath() + this.getPath())
 			.replaceQuery(null)
 			.fragment(null)
 			.toUriString();

mcp-server-security/src/test/java/org/springaicommunity/mcp/security/server/oauth2/authentication/BearerResourceMetadataTokenAuthenticationEntryPointTest.java

@@ -0,0 +1,66 @@
+package org.springaicommunity.mcp.security.server.oauth2.authentication;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springaicommunity.mcp.security.server.oauth2.metadata.ResourceIdentifier;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.AuthenticationException;
+
+class BearerResourceMetadataTokenAuthenticationEntryPointTest {
+
+	private final MockHttpServletRequest request = new MockHttpServletRequest();
+
+	private final MockHttpServletResponse response = new MockHttpServletResponse();
+
+	private final ResourceIdentifier resourceIdentifier = new ResourceIdentifier("/mcp");
+
+	private final BearerResourceMetadataTokenAuthenticationEntryPoint entryPoint = new BearerResourceMetadataTokenAuthenticationEntryPoint(
+			resourceIdentifier);
+
+	@Test
+	void commence_ShouldAddCustomContextPath() throws Exception {
+		request.setContextPath("/foo");
+		request.setScheme("https");
+		request.setServerName("my.host.com");
+		request.setServerPort(443);
+		request.setRequestURI("/foo/some/endpoint");
+
+		response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer");
+
+		AuthenticationException authException = mock(AuthenticationException.class);
+
+		entryPoint.commence(request, response, authException);
+
+		String headerValue = response.getHeader(HttpHeaders.WWW_AUTHENTICATE);
+
+		assertThat(headerValue)
+			.contains("Bearer resource_metadata=https://my.host.com/foo/.well-known/oauth-protected-resource/mcp");
+
+	}
+
+	@Test
+	void commence_ShouldAddDefaultContextPath() throws Exception {
+		request.setContextPath("");
+		request.setScheme("https");
+		request.setServerName("my.host.com");
+		request.setServerPort(443);
+		request.setRequestURI("/some/endpoint");
+
+		response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer");
+
+		AuthenticationException authException = mock(AuthenticationException.class);
+
+		entryPoint.commence(request, response, authException);
+
+		String headerValue = response.getHeader(HttpHeaders.WWW_AUTHENTICATE);
+
+		assertThat(headerValue)
+			.contains("Bearer resource_metadata=https://my.host.com/.well-known/oauth-protected-resource/mcp");
+	}
+
+}

mcp-server-security/src/test/java/org/springaicommunity/mcp/security/server/oauth2/metadata/ResourceIdentifierTest.java

@@ -0,0 +1,58 @@
+package org.springaicommunity.mcp.security.server.oauth2.metadata;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.BDDAssertions.catchThrowable;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+class ResourceIdentifierTest {
+
+	@AfterEach
+	void tearDown() {
+		RequestContextHolder.resetRequestAttributes();
+	}
+
+	@Test
+	void constructor_ShouldThrowException_WhenPathIsEmpty() {
+		// when
+		Throwable thrown = catchThrowable(() -> new ResourceIdentifier(""));
+
+		// then
+		assertThat(thrown).isInstanceOf(IllegalArgumentException.class).hasMessageContaining("path cannot be empty");
+	}
+
+	@Test
+	void getPath_ShouldReturnGivenPath() {
+		// given
+		var identifier = new ResourceIdentifier("/my-resource");
+
+		// then
+		assertThat(identifier.getPath()).isEqualTo("/my-resource");
+	}
+
+	@Test
+	void getResource_ShouldBuildFullUrlBasedOnCurrentRequest() {
+		// given
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setScheme("https");
+		request.setServerName("my.host.com");
+		request.setServerPort(8443);
+		request.setContextPath("/foo");
+		request.setRequestURI("/foo/other/path");
+
+		RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
+
+		var identifier = new ResourceIdentifier("/mcp");
+
+		// when
+		String result = identifier.getResource();
+
+		// then
+		assertThat(result).isEqualTo("https://my.host.com:8443/foo/mcp");
+	}
+
+}