mcp-security modules are the only Java option that can be a full OAuth authorization server with dynamic client registration — via the mcp-authorization-server module, built on Spring Authorization Server. The official Java SDK deliberately delegates authorization to Spring, so this page is really about the Spring security modules. They’re authoritative; this page covers the choices and the one gotcha that matters most for MCP Manager.
Serve the STREAMABLE protocol
Use the WebMVC server starter (spring-ai-starter-mcp-server-webmvc) and set spring.ai.mcp.server.protocol=STREAMABLE (or STATELESS for a stateless deployment). That gives you the Streamable HTTP transport MCP Manager requires.
Choose a security module per MCP Manager mode
mcp-security has two distinct modules. Pick the one matching your chosen MCP Manager mode.
The gotcha: the default client repository is in-memory
If you runmcp-authorization-server, registered clients are stored in Spring Authorization Server’s RegisteredClientRepository, which defaults to InMemoryRegisteredClientRepository — dev/test only, and ephemeral. On a multi-instance deployment that’s the classic DCR failure: MCP Manager registers against one instance, the authorize hop lands on another, and the client isn’t found.
The fix is to wire a JdbcRegisteredClientRepository backed by a shared database (applying the oauth2-registered-client-schema.sql tables). This is an explicit configuration step — it does not happen automatically.
client_id and client_secret it first registered, so once the persistent repository is live, delete and re-add the server to force a fresh registration.MCP Manager compatibility checklist
STREAMABLE protocol on WebMVC
spring.ai.mcp.server.protocol=STREAMABLE
with the WebMVC starter;
mcp-security doesn’t cover WebFlux.Pick the right module
mcp-authorization-server for DCR;
mcp-server-security for
bearer-token resource-server;
McpApiKeyConfigurer for header
tokens.Use JdbcRegisteredClientRepository
Public issuer and resource
Spring AI gotchas
In-memory RegisteredClientRepository
In-memory RegisteredClientRepository
JdbcRegisteredClientRepository for production. See Debug Self-Hosted OAuth.WebFlux is not supported
WebFlux is not supported
mcp-security targets WebMVC. If
you’re on WebFlux, the security
modules don’t apply — plan for WebMVC
or handle auth yourself.Resource-identifier breadth
Resource-identifier breadth
resource identifiers. If you rely on per-resource audience separation, validate that behavior against your version.
