Securing Spring AI MCP servers with OAuth2

Spring AI offers support for Model Context Protocol, or MCP for short, which allows AI models to interact with and access external tools and resources in a structured way. With Spring AI, developers can create their own MCP Servers and expose capabilities to AI models in just a few lines of code.

Authorization and security in MCP

MCP Servers can run locally, using the STDIO transport. To expose an MCP server to the outside world, it must expose a few standard HTTP endpoints. While MCP Servers used privately might not require strict authentication, enterprise deployments need robust security and permission management for exposed endpoints. This challenge is addressed in the newest version of the MCP specification (2025-03-26), which was released last week. It lays the foundation for securing communications between Clients and Servers, leveraging the widespread OAuth2 framework

This Week in Sprng - April 1st, 2025

Engineering | Josh Long | April 01, 2025 | ...

Hi, Spring fans! Welcome to another exciting installment of This Week in Spring! It's April Fools day, so be wary of things you read on the internet, but it's also the 11th anniversary of Spring Boot 1.0, which was released this day in 2014! (that's not an April Fools). Happy birthday!

I'm in excellent Austin, TX, at Dr. Venkat Subramaniam's phenomenal Arc of AI show. I love this show! So many amazing people - many of whom also happen to be world-class speakers and engineers - converge in one place to synthesize their vantage point on "A.I." in one hour. Of course, I will be talking about…

Using Spring AI 1.0.0-SNAPSHOT: Important Changes and Updates

Engineering | Mark Pollack | March 25, 2025 | ...

Using Spring AI 1.0.0-SNAPSHOT: Important Changes and Updates

Spring AI 1.0.0-SNAPSHOT introduces several important changes to artifact IDs, dependency management, and autoconfiguration. This blog post outlines these changes and provides guidance on how to update your projects.

The most significant change is the naming pattern for Spring AI starter artifacts:

  • Model starters: spring-ai-{model}-spring-boot-starterspring-ai-starter-model-{model}
  • Vector Store starters: spring-ai-{store}-store-spring-boot-starterspring-ai-starter-vector-store-{store}
  • MCP starters: spring-ai-mcp-{type}-spring-boot-starterspring-ai-starter-mcp-{type}

This Week in Spring - March 25th, 2025

Engineering | Josh Long | March 25, 2025 | ...

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I’m in Portland, OR, then I'm off to Austin, TX for the Arc of AI show, and then I'm off to Amsterdam for Voxxed Days Amsterdam! If you're around, be sure to say hi! There's a ton of cool stuff to look at, so without any further ado, let's dive right into it!

This Week in Spring – March 18th, 2025

Engineering | Josh Long | March 18, 2025 | ...

Hi, Spring fans! I just got back from the amazing JavaOne show held in Redwood Shores. It was a fun, uproarious event and a great chance to reconnect with tons of friends, old and new.

I love this community!

One of the central highlights of this show? Java 24 is here, finally!

And, as usual, we've got tons of news—some old, but mostly, well, new. Let's dive right into it!

This Week in Sprng - March 11th, 2025

Engineering | Josh Long | March 11, 2025 | ...

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's a busy week as always, fresh off the rush that was Devnexus and busily preparing for the fun that is JavaOne! It's going to be epic!

Null Safety in Spring applications with JSpecify and NullAway

Engineering | Sébastien Deleuze | March 10, 2025 | ...

The initial introduction of the null safety support in Spring dates back to 2017 and the release of Spring Framework 5.0. In 2025, we are evolving that story to bring more added value for Spring developers, either in Java or Kotlin. But before having a deeper look to the changes we are working on, let me explain why we do that and what are the expected benefits.

What problem do we try to solve?

Let's take a concrete example, and say we are using a library that provides a TokenExtractor interface defined as follow:

interface TokenExtractor {
    
    /**
     * Extract a token from a {@link…

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all