refactor: add deprecation path for validateHeaders API

neerajbhatt · neerajbhatt · commit 83c796c9eff2 · 2026-05-26T22:07:21.000+05:30
Instead of a breaking change, introduce a deprecation path:
- Keep validateHeaders(Map) as deprecated default method that bridges
  to the new validateHeaders(Function) via case-insensitive lookup
- New implementations override validateHeaders(Function) for efficiency
- Transport providers continue calling validateHeaders(Map) for backward
  compatibility with existing custom implementations
- Restore HttpServletRequestUtils for header extraction in transports
- Add tests for deprecated Map-based API and interface bridge behavior
diff --git a/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletRequestUtils.java b/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletRequestUtils.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2026-2026 the original author or authors.
+ */
+
+package io.modelcontextprotocol.server.transport;
+
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+/**
+ * Utility methods for working with {@link HttpServletRequest}. For internal use only.
+ *
+ * @author Daniel Garnier-Moiroux
+ */
+final class HttpServletRequestUtils {
+
+	private HttpServletRequestUtils() {
+	}
+
+	/**
+	 * Extracts all headers from the HTTP request into a map.
+	 * @param request The HTTP servlet request
+	 * @return A map of header names to their values
+	 */
+	static Map<String, List<String>> extractHeaders(HttpServletRequest request) {
+		Map<String, List<String>> headers = new HashMap<>();
+		Enumeration<String> names = request.getHeaderNames();
+		while (names.hasMoreElements()) {
+			String name = names.nextElement();
+			headers.put(name, Collections.list(request.getHeaders(name)));
+		}
+		return headers;
+	}
+
+}
diff --git a/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java b/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java
@@ -8,7 +8,6 @@
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.time.Duration;
-import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
@@ -281,7 +280,8 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 		}
 
 		try {
-			this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));
+			Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);
+			this.securityValidator.validateHeaders(headers);
 		}
 		catch (ServerTransportSecurityException e) {
 			response.sendError(e.getStatusCode(), e.getMessage());
@@ -353,7 +353,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 		}
 
 		try {
-			this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));
+			Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);
+			this.securityValidator.validateHeaders(headers);
 		}
 		catch (ServerTransportSecurityException e) {
 			response.sendError(e.getStatusCode(), e.getMessage());
diff --git a/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStatelessServerTransport.java b/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStatelessServerTransport.java
@@ -7,8 +7,8 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.PrintWriter;
-import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -134,7 +134,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 		}
 
 		try {
-			this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));
+			Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);
+			this.securityValidator.validateHeaders(headers);
 		}
 		catch (ServerTransportSecurityException e) {
 			response.sendError(e.getStatusCode(), e.getMessage());
diff --git a/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java b/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java
@@ -9,7 +9,6 @@
 import java.io.PrintWriter;
 import java.time.Duration;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
@@ -272,7 +271,8 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 		}
 
 		try {
-			this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));
+			Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);
+			this.securityValidator.validateHeaders(headers);
 		}
 		catch (ServerTransportSecurityException e) {
 			response.sendError(e.getStatusCode(), e.getMessage());
@@ -407,7 +407,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 		}
 
 		try {
-			this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));
+			Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);
+			this.securityValidator.validateHeaders(headers);
 		}
 		catch (ServerTransportSecurityException e) {
 			response.sendError(e.getStatusCode(), e.getMessage());
@@ -587,7 +588,8 @@ protected void doDelete(HttpServletRequest request, HttpServletResponse response
 		}
 
 		try {
-			this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));
+			Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);
+			this.securityValidator.validateHeaders(headers);
 		}
 		catch (ServerTransportSecurityException e) {
 			response.sendError(e.getStatusCode(), e.getMessage());
diff --git a/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/ServerTransportSecurityValidator.java b/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/ServerTransportSecurityValidator.java
@@ -5,33 +5,69 @@
 package io.modelcontextprotocol.server.transport;
 
 import java.util.List;
+import java.util.Map;
 import java.util.function.Function;
 
 /**
  * Interface for validating HTTP requests in server transports. Implementations can
  * validate Origin headers, Host headers, or any other security-related headers according
  * to the MCP specification.
  *
+ * <p>
+ * New implementations should override {@link #validateHeaders(Function)
+ * validateHeaders(Function)} for more efficient, case-insensitive header access. The
+ * older {@link #validateHeaders(Map) validateHeaders(Map)} is deprecated and will be
+ * removed in a future major version.
+ *
  * @author Daniel Garnier-Moiroux
  * @see DefaultServerTransportSecurityValidator
  * @see ServerTransportSecurityException
  */
-@FunctionalInterface
 public interface ServerTransportSecurityValidator {
 
 	/**
 	 * A no-op validator that accepts all requests without validation.
 	 */
-	ServerTransportSecurityValidator NOOP = headerAccessor -> {
+	ServerTransportSecurityValidator NOOP = new ServerTransportSecurityValidator() {
 	};
 
 	/**
 	 * Validates the HTTP headers from an incoming request.
+	 *
+	 * <p>
+	 * The default implementation converts the map into a case-insensitive header accessor
+	 * and delegates to {@link #validateHeaders(Function)}.
+	 * @param headers A map of header names to their values (multi-valued headers
+	 * supported)
+	 * @throws ServerTransportSecurityException if validation fails
+	 * @deprecated Use {@link #validateHeaders(Function)} instead for more efficient,
+	 * case-insensitive header access. This method will be removed in a future major
+	 * version.
+	 */
+	@Deprecated
+	default void validateHeaders(Map<String, List<String>> headers) throws ServerTransportSecurityException {
+		validateHeaders(name -> headers.entrySet()
+			.stream()
+			.filter(e -> e.getKey().equalsIgnoreCase(name))
+			.map(Map.Entry::getValue)
+			.findFirst()
+			.orElse(List.of()));
+	}
+
+	/**
+	 * Validates the HTTP headers from an incoming request using a header accessor
+	 * function.
+	 *
+	 * <p>
+	 * New implementations should override this method. Header name lookup through the
+	 * accessor should be case-insensitive (e.g., when backed by
+	 * {@code HttpServletRequest.getHeaders}).
 	 * @param headerAccessor A function that returns the list of values for a given header
-	 * name, or an empty list if the header is not present. Header name lookup should be
-	 * case-insensitive.
+	 * name, or an empty list if the header is not present.
 	 * @throws ServerTransportSecurityException if validation fails
 	 */
-	void validateHeaders(Function<String, List<String>> headerAccessor) throws ServerTransportSecurityException;
+	default void validateHeaders(Function<String, List<String>> headerAccessor)
+			throws ServerTransportSecurityException {
+	}
 
 }
diff --git a/mcp-core/src/test/java/io/modelcontextprotocol/server/transport/DefaultServerTransportSecurityValidatorTests.java b/mcp-core/src/test/java/io/modelcontextprotocol/server/transport/DefaultServerTransportSecurityValidatorTests.java
@@ -404,6 +404,116 @@ void originValidHostMissing() {
 
 	}
 
+	@Nested
+	class DeprecatedMapBasedApi {
+
+		@Test
+		void originValidation() {
+			Map<String, List<String>> headers = new HashMap<>();
+			headers.put("Origin", List.of("http://localhost:8080"));
+
+			assertThatCode(() -> validator.validateHeaders(headers)).doesNotThrowAnyException();
+		}
+
+		@Test
+		void originRejected() {
+			Map<String, List<String>> headers = new HashMap<>();
+			headers.put("Origin", List.of("http://malicious.example.com"));
+
+			assertThatThrownBy(() -> validator.validateHeaders(headers)).isEqualTo(INVALID_ORIGIN);
+		}
+
+		@Test
+		void caseInsensitiveHeaderLookup() {
+			Map<String, List<String>> headers = new HashMap<>();
+			headers.put("origin", List.of("http://localhost:8080"));
+
+			assertThatCode(() -> validator.validateHeaders(headers)).doesNotThrowAnyException();
+		}
+
+		@Test
+		void hostValidation() {
+			DefaultServerTransportSecurityValidator hostValidator = DefaultServerTransportSecurityValidator.builder()
+				.allowedHost("localhost:8080")
+				.build();
+
+			Map<String, List<String>> headers = new HashMap<>();
+			headers.put("Host", List.of("localhost:8080"));
+
+			assertThatCode(() -> hostValidator.validateHeaders(headers)).doesNotThrowAnyException();
+		}
+
+		@Test
+		void hostRejected() {
+			DefaultServerTransportSecurityValidator hostValidator = DefaultServerTransportSecurityValidator.builder()
+				.allowedHost("localhost:8080")
+				.build();
+
+			Map<String, List<String>> headers = new HashMap<>();
+			headers.put("Host", List.of("malicious.com:8080"));
+
+			assertThatThrownBy(() -> hostValidator.validateHeaders(headers)).isEqualTo(INVALID_HOST);
+		}
+
+		@Test
+		void emptyHeaders() {
+			assertThatCode(() -> validator.validateHeaders(new HashMap<>())).doesNotThrowAnyException();
+		}
+
+		@Test
+		void combinedOriginAndHost() {
+			DefaultServerTransportSecurityValidator combinedValidator = DefaultServerTransportSecurityValidator
+				.builder()
+				.allowedOrigin("http://localhost:*")
+				.allowedHost("localhost:*")
+				.build();
+
+			Map<String, List<String>> headers = new HashMap<>();
+			headers.put("Origin", List.of("http://localhost:8080"));
+			headers.put("Host", List.of("localhost:8080"));
+
+			assertThatCode(() -> combinedValidator.validateHeaders(headers)).doesNotThrowAnyException();
+		}
+
+	}
+
+	@Nested
+	class InterfaceDefaultBridge {
+
+		@Test
+		void noopAcceptsAll() {
+			assertThatCode(() -> ServerTransportSecurityValidator.NOOP.validateHeaders(emptyAccessor()))
+				.doesNotThrowAnyException();
+			assertThatCode(() -> ServerTransportSecurityValidator.NOOP.validateHeaders(new HashMap<>()))
+				.doesNotThrowAnyException();
+		}
+
+		@Test
+		void mapDefaultBridgesToFunctionOverride() {
+			// A validator that only overrides the Function method should still work
+			// when called via the deprecated Map method
+			ServerTransportSecurityValidator functionOnlyValidator = new ServerTransportSecurityValidator() {
+				@Override
+				public void validateHeaders(Function<String, List<String>> headerAccessor)
+						throws ServerTransportSecurityException {
+					List<String> origins = headerAccessor.apply("Origin");
+					if (origins != null && !origins.isEmpty() && origins.get(0).contains("evil")) {
+						throw new ServerTransportSecurityException(403, "Invalid Origin header");
+					}
+				}
+			};
+
+			Map<String, List<String>> goodHeaders = new HashMap<>();
+			goodHeaders.put("Origin", List.of("http://good.example.com"));
+			assertThatCode(() -> functionOnlyValidator.validateHeaders(goodHeaders)).doesNotThrowAnyException();
+
+			Map<String, List<String>> evilHeaders = new HashMap<>();
+			evilHeaders.put("Origin", List.of("http://evil.example.com"));
+			assertThatThrownBy(() -> functionOnlyValidator.validateHeaders(evilHeaders)).isEqualTo(INVALID_ORIGIN);
+		}
+
+	}
+
 	private static Function<String, List<String>> emptyAccessor() {
 		return name -> List.of();
 	}

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,6 @@`
`8`	`8`	`import java.io.IOException;`
`9`	`9`	`import java.io.PrintWriter;`
`10`	`10`	`import java.time.Duration;`
`11`		`-import java.util.Collections;`
`12`	`11`	`import java.util.List;`
`13`	`12`	`import java.util.Map;`
`14`	`13`	`import java.util.UUID;`
`@@ -281,7 +280,8 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)`
`281`	`280`	`}`
`282`	`281`
`283`	`282`	`try {`
`284`		`- this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));`
	`283`	`+ Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);`
	`284`	`+ this.securityValidator.validateHeaders(headers);`
`285`	`285`	`}`
`286`	`286`	`catch (ServerTransportSecurityException e) {`
`287`	`287`	`response.sendError(e.getStatusCode(), e.getMessage());`
`@@ -353,7 +353,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)`
`353`	`353`	`}`
`354`	`354`
`355`	`355`	`try {`
`356`		`- this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));`
	`356`	`+ Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);`
	`357`	`+ this.securityValidator.validateHeaders(headers);`
`357`	`358`	`}`
`358`	`359`	`catch (ServerTransportSecurityException e) {`
`359`	`360`	`response.sendError(e.getStatusCode(), e.getMessage());`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,6 @@`
`9`	`9`	`import java.io.PrintWriter;`
`10`	`10`	`import java.time.Duration;`
`11`	`11`	`import java.util.ArrayList;`
`12`		`-import java.util.Collections;`
`13`	`12`	`import java.util.List;`
`14`	`13`	`import java.util.Map;`
`15`	`14`	`import java.util.concurrent.ConcurrentHashMap;`
`@@ -272,7 +271,8 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)`
`272`	`271`	`}`
`273`	`272`
`274`	`273`	`try {`
`275`		`- this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));`
	`274`	`+ Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);`
	`275`	`+ this.securityValidator.validateHeaders(headers);`
`276`	`276`	`}`
`277`	`277`	`catch (ServerTransportSecurityException e) {`
`278`	`278`	`response.sendError(e.getStatusCode(), e.getMessage());`
`@@ -407,7 +407,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)`
`407`	`407`	`}`
`408`	`408`
`409`	`409`	`try {`
`410`		`- this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));`
	`410`	`+ Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);`
	`411`	`+ this.securityValidator.validateHeaders(headers);`
`411`	`412`	`}`
`412`	`413`	`catch (ServerTransportSecurityException e) {`
`413`	`414`	`response.sendError(e.getStatusCode(), e.getMessage());`
`@@ -587,7 +588,8 @@ protected void doDelete(HttpServletRequest request, HttpServletResponse response`
`587`	`588`	`}`
`588`	`589`
`589`	`590`	`try {`
`590`		`- this.securityValidator.validateHeaders(name -> Collections.list(request.getHeaders(name)));`
	`591`	`+ Map<String, List<String>> headers = HttpServletRequestUtils.extractHeaders(request);`
	`592`	`+ this.securityValidator.validateHeaders(headers);`
`591`	`593`	`}`
`592`	`594`	`catch (ServerTransportSecurityException e) {`
`593`	`595`	`response.sendError(e.getStatusCode(), e.getMessage());`