Package io.modelcontextprotocol.server.transport

Class DefaultServerTransportSecurityValidator

java.lang.Object

io.modelcontextprotocol.server.transport.DefaultServerTransportSecurityValidator

All Implemented Interfaces:

ServerTransportSecurityValidator

public final class DefaultServerTransportSecurityValidator
extends Object
implements ServerTransportSecurityValidator

Default implementation of ServerTransportSecurityValidator that validates the Origin and Host headers against lists of allowed values.

Supports exact matches and wildcard port patterns (e.g., "http://example.com:*" for origins, "example.com:*" for hosts).

Author:

Daniel Garnier-Moiroux

See Also:

• ServerTransportSecurityValidator
• ServerTransportSecurityException

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	DefaultServerTransportSecurityValidator.Builder	Builder for creating instances of DefaultServerTransportSecurityValidator.

Field Summary

Fields inherited from interface io.modelcontextprotocol.server.transport.ServerTransportSecurityValidator

NOOP

Method Summary

Modifier and Type	Method	Description
static DefaultServerTransportSecurityValidator.Builder	builder()	Creates a new builder for constructing a DefaultServerTransportSecurityValidator.
void	validateHeaders(Map<String,List<String>> headers)	Validates the HTTP headers from an incoming request.
protected void	validateOrigin(String origin)	Validates a single origin value against the allowed origins.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

validateHeaders

public void validateHeaders(Map<String,List<String>> headers)
                     throws ServerTransportSecurityException

Description copied from interface: ServerTransportSecurityValidator

Validates the HTTP headers from an incoming request.

Specified by:

validateHeaders in interface ServerTransportSecurityValidator

Parameters:

headers - A map of header names to their values (multi-valued headers supported)

Throws:

ServerTransportSecurityException - if validation fails

validateOrigin

protected void validateOrigin(String origin)
                       throws ServerTransportSecurityException

Validates a single origin value against the allowed origins. Subclasses can override this method to customize origin validation logic.

Parameters:

origin - The origin header value, or null if not present

Throws:

ServerTransportSecurityException - if the origin is not allowed

builder

public static DefaultServerTransportSecurityValidator.Builder builder()

Creates a new builder for constructing a DefaultServerTransportSecurityValidator.

Returns:

A new builder instance