Interface McpCorsAuthorizer

@ThreadSafe
public interface McpCorsAuthorizer

CORS authorization contract for MCP transport requests.

Author:

Mark Allen

Method Summary

Modifier and Type	Method	Description
static @NonNull McpCorsAuthorizer	acceptAllInstance()	Acquires an authorizer that allows all browser origins and always enables credentials.
@NonNull Optional<CorsResponse>	authorize(@NonNull McpCorsContext context, @NonNull Cors cors)	Authorizes a non-preflight browser-originated MCP request and, when allowed, supplies the CORS response metadata to apply.
@NonNull Optional<CorsPreflightResponse>	authorizePreflight(@NonNull McpCorsContext context, @NonNull CorsPreflight corsPreflight, @NonNull Set<@NonNull HttpMethod> availableHttpMethods)	Authorizes a browser preflight request for the MCP transport.
static @NonNull McpCorsAuthorizer	fromOriginAuthorizer(@NonNull Predicate<@NonNull McpCorsContext> originAuthorizer)	Acquires an authorizer backed by an origin-authorization predicate and with credentials disabled by default.
static @NonNull McpCorsAuthorizer	fromOriginAuthorizer(@NonNull Predicate<@NonNull McpCorsContext> originAuthorizer, @NonNull Function<String,Boolean> allowCredentialsResolver)	Acquires an authorizer backed by an origin-authorization predicate plus a credentials resolver.
static @NonNull McpCorsAuthorizer	fromWhitelistedOrigins(@NonNull Set<@NonNull String> whitelistedOrigins)	Acquires an authorizer that allows only the provided normalized origins and disables credentials by default.
static @NonNull McpCorsAuthorizer	fromWhitelistedOrigins(@NonNull Set<@NonNull String> whitelistedOrigins, @NonNull Function<String,Boolean> allowCredentialsResolver)	Acquires an authorizer that allows only the provided normalized origins and delegates credential behavior per origin.
static @NonNull McpCorsAuthorizer	nonBrowserClientsOnlyInstance()	Acquires the conservative default authorizer that leaves non-browser MCP requests alone while rejecting browser CORS authorization.
static @NonNull McpCorsAuthorizer	rejectAllInstance()	Acquires an authorizer that rejects all browser-originated MCP CORS requests.

Method Details

authorize

@NonNull Optional<CorsResponse> authorize(@NonNull McpCorsContext context,
 @NonNull Cors cors)

Authorizes a non-preflight browser-originated MCP request and, when allowed, supplies the CORS response metadata to apply.

Parameters:

context - the MCP CORS context

cors - the parsed Soklet CORS request metadata

Returns:

the CORS response metadata to apply, or Optional.empty() to withhold CORS authorization

authorizePreflight

@NonNull Optional<CorsPreflightResponse> authorizePreflight(@NonNull McpCorsContext context,
 @NonNull CorsPreflight corsPreflight,
 @NonNull Set<@NonNull HttpMethod> availableHttpMethods)

Authorizes a browser preflight request for the MCP transport.

Parameters:

context - the MCP CORS context

corsPreflight - the parsed preflight metadata

availableHttpMethods - the MCP transport methods available for the current endpoint

Returns:

the preflight response metadata to apply, or Optional.empty() to reject the preflight

rejectAllInstance

static @NonNull McpCorsAuthorizer rejectAllInstance()

Acquires an authorizer that rejects all browser-originated MCP CORS requests.

Returns:

a rejecting authorizer

nonBrowserClientsOnlyInstance

static @NonNull McpCorsAuthorizer nonBrowserClientsOnlyInstance()

Acquires the conservative default authorizer that leaves non-browser MCP requests alone while rejecting browser CORS authorization.

Returns:

the default non-browser-only authorizer

acceptAllInstance

static @NonNull McpCorsAuthorizer acceptAllInstance()

Acquires an authorizer that allows all browser origins and always enables credentials.

Returns:

a permissive authorizer

fromWhitelistedOrigins

static @NonNull McpCorsAuthorizer fromWhitelistedOrigins(@NonNull Set<@NonNull String> whitelistedOrigins)

Acquires an authorizer that allows only the provided normalized origins and disables credentials by default.

Parameters:

whitelistedOrigins - the origins to allow

Returns:

a whitelisting authorizer

fromWhitelistedOrigins

static @NonNull McpCorsAuthorizer fromWhitelistedOrigins(@NonNull Set<@NonNull String> whitelistedOrigins,
 @NonNull Function<String,Boolean> allowCredentialsResolver)

Acquires an authorizer that allows only the provided normalized origins and delegates credential behavior per origin.

Parameters:

whitelistedOrigins - the origins to allow

allowCredentialsResolver - resolves whether credentials should be allowed for an origin

Returns:

a whitelisting authorizer

fromOriginAuthorizer

static @NonNull McpCorsAuthorizer fromOriginAuthorizer(@NonNull Predicate<@NonNull McpCorsContext> originAuthorizer)

Acquires an authorizer backed by an origin-authorization predicate and with credentials disabled by default.

Parameters:

originAuthorizer - the origin predicate

Returns:

an authorizer backed by the predicate

fromOriginAuthorizer

static @NonNull McpCorsAuthorizer fromOriginAuthorizer(@NonNull Predicate<@NonNull McpCorsContext> originAuthorizer,
 @NonNull Function<String,Boolean> allowCredentialsResolver)

Acquires an authorizer backed by an origin-authorization predicate plus a credentials resolver.

Parameters:

originAuthorizer - the origin predicate

allowCredentialsResolver - resolves whether credentials should be allowed for an origin

Returns:

an authorizer backed by the supplied callbacks