Class McpRequestProcessor

java.lang.Object
org.mockserver.netty.mcp.McpRequestProcessor

public class McpRequestProcessor extends Object
Transport-neutral MCP (Model Context Protocol) JSON-RPC request processor.

This class contains all the MCP protocol logic (JSON-RPC parsing, session management, tool/resource dispatch, response construction) without any dependency on a specific transport (Netty HTTP/1.1, HTTP/2, or HTTP/3).

Both McpStreamableHttpHandler (TCP path) and the HTTP/3 MCP dispatch in Http3MockServerHandler delegate to this processor.

  • Constructor Details

  • Method Details

    • getSessionManager

      public McpSessionManager getSessionManager()
      Returns the session manager used by this processor.
    • isMcpPath

      public static boolean isMcpPath(String path)
      Check if a path matches the MCP endpoint.
    • handlePost

      public McpRequestProcessor.McpResult handlePost(String requestBody, String mcpSessionId)
      Process an MCP POST request. The request is authenticated by the transport handler BEFORE this is called; the principal's verified scopes are passed in so per-tool control-plane authorization can be enforced for tools/call (a mutating tool requires the MUTATE role, a reading tool the READ role). Equivalent to handlePost(String, String, java.util.Set) with null scopes, used by callers that do not (yet) carry an authenticated result.
      Parameters:
      requestBody - the raw JSON body
      mcpSessionId - the Mcp-Session-Id header value (may be null)
      Returns:
      the result to write back
    • handlePost

      public McpRequestProcessor.McpResult handlePost(String requestBody, String mcpSessionId, Set<String> scopes)
      Process an MCP POST request, enforcing per-tool control-plane authorization for tools/call using the authenticated principal's verified scopes.

      Authorization is delegated to HttpState.controlPlaneToolAuthorized(java.util.Set<java.lang.String>, boolean, java.lang.String) — the SAME authorizer/role model as the HTTP control plane — and is gated by controlPlaneAuthorizationEnabled: when that is off (the default), authorization always passes and behaviour is unchanged.

      Parameters:
      requestBody - the raw JSON body
      mcpSessionId - the Mcp-Session-Id header value (may be null)
      scopes - the authenticated principal's verified scopes (null when authorization is not enforced)
      Returns:
      the result to write back
    • handleDelete

      public McpRequestProcessor.McpResult handleDelete(String mcpSessionId)
      Process an MCP DELETE request.
      Parameters:
      mcpSessionId - the Mcp-Session-Id header value
      Returns:
      the result to write back
    • handleGet

      public McpRequestProcessor.McpResult handleGet()
      Process an MCP GET request (currently not supported -- returns 405).
      Returns:
      the result to write back
    • handleOptions

      public McpRequestProcessor.McpResult handleOptions(boolean hasOrigin)
      Process an MCP OPTIONS request (CORS preflight or method-not-allowed).
      Parameters:
      hasOrigin - whether the request has an Origin header
      Returns:
      the result to write back