Fix formatting. Remove security docs

Signed-off-by: Christian Tzolov <christian.tzolov@broadcom.com>

Author: tzolov

docs/client.md

@@ -437,160 +437,3 @@ The prompt system enables interaction with server-side prompt templates. These t
     client.getPrompt(new GetPromptRequest("greeting", Map.of("name", "World")))
         .subscribe();
     ```
-
-## MCP Security
-
-The [MCP Security](https://github.com/spring-ai-community/mcp-security) community library provides OAuth 2.0 authorization support for Spring AI MCP clients. It supports both `HttpClient`-based and `WebClient`-based (WebFlux) MCP clients used with the [Spring AI MCP Client Boot Starter](https://docs.spring.io/spring-ai/reference/2.0-SNAPSHOT/api/mcp/mcp-client-boot-starter-docs.html).
-
-!!! note
-    This is a community project (`org.springaicommunity`), not officially part of the MCP Java SDK. It requires Spring AI 2.0.x (`mcp-client-security` version 0.1.x). For Spring AI 1.1.x, use version 0.0.6.
-
-### Add Dependency
-
-=== "Maven"
-
-    ```xml
-    <dependency>
-        <groupId>org.springaicommunity</groupId>
-        <artifactId>mcp-client-security</artifactId>
-        <version>0.1.1</version>
-    </dependency>
-    ```
-
-=== "Gradle"
-
-    ```groovy
-    implementation("org.springaicommunity:mcp-client-security:0.1.1")
-    ```
-
-### Authorization Flows
-
-Three OAuth 2.0 flows are available:
-
-- **Authorization Code** — For user-present scenarios. The client sends requests with a bearer token on behalf of the user. Use `OAuth2AuthorizationCodeSyncHttpRequestCustomizer` (HttpClient) or `McpOAuth2AuthorizationCodeExchangeFilterFunction` (WebClient).
-- **Client Credentials** — For machine-to-machine communication without a user in the loop. Use `OAuth2ClientCredentialsSyncHttpRequestCustomizer` (HttpClient) or `McpOAuth2ClientCredentialsExchangeFilterFunction` (WebClient).
-- **Hybrid** — For mixed scenarios where some calls (e.g., `tools/list` on startup) use client credentials, while user-specific calls (e.g., `tools/call`) use authorization code tokens. Use `OAuth2HybridSyncHttpRequestCustomizer` (HttpClient) or `McpOAuth2HybridExchangeFilterFunction` (WebClient).
-
-!!! tip
-    Use the **Hybrid** flow when Spring AI's autoconfiguration initializes MCP clients on startup (listing tools before a user is present), but tool calls are user-authenticated.
-
-### Setup
-
-Add the following to `application.properties`:
-
-```properties
-# Ensure MCP clients are sync
-spring.ai.mcp.client.type=SYNC
-# Disable auto-initialization (most MCP servers require authentication on every request)
-spring.ai.mcp.client.initialized=false
-
-# Authorization Code client registration (for user-present flows)
-spring.security.oauth2.client.registration.authserver.client-id=<CLIENT_ID>
-spring.security.oauth2.client.registration.authserver.client-secret=<CLIENT_SECRET>
-spring.security.oauth2.client.registration.authserver.authorization-grant-type=authorization_code
-spring.security.oauth2.client.registration.authserver.provider=authserver
-
-# Client Credentials registration (for machine-to-machine or hybrid flows)
-spring.security.oauth2.client.registration.authserver-client-credentials.client-id=<CLIENT_ID>
-spring.security.oauth2.client.registration.authserver-client-credentials.client-secret=<CLIENT_SECRET>
-spring.security.oauth2.client.registration.authserver-client-credentials.authorization-grant-type=client_credentials
-spring.security.oauth2.client.registration.authserver-client-credentials.provider=authserver
-
-# Authorization server issuer URI
-spring.security.oauth2.client.provider.authserver.issuer-uri=<ISSUER_URI>
-```
-
-Then activate OAuth2 client support in a security configuration class:
-
-```java
-@Configuration
-@EnableWebSecurity
-class SecurityConfiguration {
-
-    @Bean
-    SecurityFilterChain securityFilterChain(HttpSecurity http) {
-        return http
-                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
-                .oauth2Client(Customizer.withDefaults())
-                .build();
-    }
-}
-```
-
-### HttpClient-Based Client
-
-When using `spring-ai-starter-mcp-client`, the transport is backed by the JDK's `HttpClient`. Expose a `McpSyncHttpClientRequestCustomizer` bean and an `AuthenticationMcpTransportContextProvider` on the client:
-
-```java
-@Configuration
-class McpConfiguration {
-
-    @Bean
-    McpSyncClientCustomizer syncClientCustomizer() {
-        return (name, syncSpec) ->
-                syncSpec.transportContextProvider(
-                        new AuthenticationMcpTransportContextProvider()
-                );
-    }
-
-    @Bean
-    McpSyncHttpClientRequestCustomizer requestCustomizer(
-            OAuth2AuthorizedClientManager clientManager
-    ) {
-        // "authserver" must match the registration name in application.properties
-        return new OAuth2AuthorizationCodeSyncHttpRequestCustomizer(
-                clientManager,
-                "authserver"
-        );
-    }
-}
-```
-
-Replace `OAuth2AuthorizationCodeSyncHttpRequestCustomizer` with `OAuth2ClientCredentialsSyncHttpRequestCustomizer` or `OAuth2HybridSyncHttpRequestCustomizer` for the corresponding flow.
-
-### WebClient-Based Client
-
-When using `spring-ai-starter-mcp-client-webflux`, the transport is backed by Spring's reactive `WebClient`. Expose a `WebClient.Builder` bean configured with an `ExchangeFilterFunction`:
-
-```java
-@Configuration
-class McpConfiguration {
-
-    @Bean
-    McpSyncClientCustomizer syncClientCustomizer() {
-        return (name, syncSpec) ->
-                syncSpec.transportContextProvider(
-                        new AuthenticationMcpTransportContextProvider()
-                );
-    }
-
-    @Bean
-    WebClient.Builder mcpWebClientBuilder(OAuth2AuthorizedClientManager clientManager) {
-        // "authserver" must match the registration name in application.properties
-        return WebClient.builder().filter(
-                new McpOAuth2AuthorizationCodeExchangeFilterFunction(
-                        clientManager,
-                        "authserver"
-                )
-        );
-    }
-}
-```
-
-Replace `McpOAuth2AuthorizationCodeExchangeFilterFunction` with `McpOAuth2ClientCredentialsExchangeFilterFunction` or `McpOAuth2HybridExchangeFilterFunction` for the corresponding flow.
-
-When using the chat client's `.stream()` method, Reactor does not preserve thread-locals. Inject the authentication into the Reactor context manually:
-
-```java
-chatClient
-    .prompt("<your prompt>")
-    .stream()
-    .content()
-    .contextWrite(AuthenticationMcpTransportContextProvider.writeToReactorContext());
-```
-
-### Known Limitations
-
-- Only `McpSyncClient` is supported; async clients are not.
-- Set `spring.ai.mcp.client.initialized=false` when servers require authentication on every request, as Spring AI autoconfiguration will otherwise attempt to list tools on startup without a token.
-- The SSE transport is supported by the client module (unlike the server module).

docs/server.md

@@ -756,182 +756,6 @@ mcpClient.setLoggingLevel(McpSchema.LoggingLevel.INFO);
 Clients can control the minimum logging level they receive through the `mcpClient.setLoggingLevel(level)` request. Messages below the set level will be filtered out.
 Supported logging levels (in order of increasing severity): DEBUG (0), INFO (1), NOTICE (2), WARNING (3), ERROR (4), CRITICAL (5), ALERT (6), EMERGENCY (7)
 
-## MCP Security
-
-The [MCP Security](https://github.com/spring-ai-community/mcp-security) community library provides OAuth 2.0 resource server support and API key authentication for Spring AI MCP servers.
-
-!!! note
-    This is a community project (`org.springaicommunity`), not officially part of the MCP Java SDK. It requires Spring AI 2.0.x (`mcp-server-security` version 0.1.x) and is compatible with **Spring WebMVC-based servers only**. For Spring AI 1.1.x, use version 0.0.6.
-
-### Add Dependency
-
-=== "Maven"
-
-    ```xml
-    <dependencies>
-        <dependency>
-            <groupId>org.springaicommunity</groupId>
-            <artifactId>mcp-server-security</artifactId>
-            <version>0.1.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
-        <!-- Optional: required for OAuth2 resource server support -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
-        </dependency>
-    </dependencies>
-    ```
-
-=== "Gradle"
-
-    ```groovy
-    implementation("org.springaicommunity:mcp-server-security:0.1.1")
-    implementation("org.springframework.boot:spring-boot-starter-security")
-    // Optional: required for OAuth2 resource server support
-    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
-    ```
-
-### OAuth2 Authentication
-
-Enable a Streamable HTTP or Stateless MCP server in `application.properties`:
-
-```properties
-spring.ai.mcp.server.name=my-mcp-server
-# Supported protocols: STREAMABLE, STATELESS
-spring.ai.mcp.server.protocol=STREAMABLE
-```
-
-Then configure Spring Security with the `McpServerOAuth2Configurer` to require authentication on every request:
-
-```java
-@Configuration
-@EnableWebSecurity
-class McpServerConfiguration {
-
-    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
-    private String issuerUrl;
-
-    @Bean
-    SecurityFilterChain securityFilterChain(HttpSecurity http) {
-        return http
-                // Require authentication on every request
-                .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
-                .with(
-                        McpServerOAuth2Configurer.mcpServerOAuth2(),
-                        mcpAuthorization -> {
-                            // Required: the issuer URI of the authorization server
-                            mcpAuthorization.authorizationServer(issuerUrl);
-                            // Optional: validate the `aud` claim (RFC 8707 Resource Indicators)
-                            // Not all authorization servers include this claim. Defaults to false.
-                            mcpAuthorization.validateAudienceClaim(true);
-                        }
-                )
-                .build();
-    }
-}
-```
-
-### Fine-Grained: Secure Tool Calls Only
-
-To allow `initialize` and `tools/list` publicly while requiring authentication for `tools/call`, enable method security and open the `/mcp` endpoint:
-
-```java
-@Configuration
-@EnableWebSecurity
-@EnableMethodSecurity  // enables @PreAuthorize on individual methods
-class McpServerConfiguration {
-
-    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
-    private String issuerUrl;
-
-    @Bean
-    SecurityFilterChain securityFilterChain(HttpSecurity http) {
-        return http
-                .authorizeHttpRequests(auth -> {
-                    auth.requestMatchers("/mcp").permitAll();
-                    auth.anyRequest().authenticated();
-                })
-                .with(
-                        McpServerOAuth2Configurer.mcpServerOAuth2(),
-                        mcpAuthorization -> mcpAuthorization.authorizationServer(issuerUrl)
-                )
-                .build();
-    }
-}
-```
-
-Then annotate individual tool methods with `@PreAuthorize`. The current authentication is also accessible via `SecurityContextHolder`:
-
-```java
-@Service
-public class MyToolsService {
-
-    @PreAuthorize("isAuthenticated()")
-    @McpTool(name = "greeter", description = "A tool that greets the authenticated user")
-    public String greet(
-            @McpToolParam(description = "The language for the greeting") String language
-    ) {
-        var authentication = SecurityContextHolder.getContext().getAuthentication();
-        return switch (language.toLowerCase()) {
-            case "english" -> "Hello, " + authentication.getName() + "!";
-            case "french"  -> "Salut " + authentication.getName() + "!";
-            default        -> "Hello " + authentication.getName() + "!";
-        };
-    }
-}
-```
-
-### API Key Authentication
-
-For API key-based authentication, provide an `ApiKeyEntityRepository` implementation and configure the `mcpServerApiKey()` configurer:
-
-```java
-@Configuration
-@EnableWebSecurity
-class McpServerConfiguration {
-
-    @Bean
-    SecurityFilterChain securityFilterChain(HttpSecurity http) {
-        return http
-                .authorizeHttpRequests(authz -> authz.anyRequest().authenticated())
-                .with(
-                        mcpServerApiKey(),
-                        apiKey -> {
-                            // Required: repository of valid API keys
-                            apiKey.apiKeyRepository(apiKeyRepository());
-                            // Optional: customize the header name (default: X-API-Key)
-                            // apiKey.headerName("CUSTOM-API-KEY");
-                        }
-                )
-                .build();
-    }
-
-    private ApiKeyEntityRepository<ApiKeyEntityImpl> apiKeyRepository() {
-        var apiKey = ApiKeyEntityImpl.builder()
-                .name("my api key")
-                .id("api01")
-                .secret("mycustomapikey")
-                .build();
-        return new InMemoryApiKeyEntityRepository<>(List.of(apiKey));
-    }
-}
-```
-
-Clients send the key using the `X-API-Key: api01.mycustomapikey` header format (`<id>.<secret>`).
-
-!!! warning
-    `InMemoryApiKeyEntityRepository` uses bcrypt for key hashing and is not suited for high-traffic production use. Provide a custom `ApiKeyEntityRepository` implementation for production deployments.
-
-### Known Limitations
-
-- The deprecated SSE transport is not supported. Use Streamable HTTP or Stateless transport.
-- Spring WebFlux-based servers are not supported — WebMVC only.
-- Opaque tokens are not supported. JWT is required for OAuth2.
-
 ## Error Handling
 
 The SDK provides comprehensive error handling through the McpError class, covering protocol compatibility, transport communication, JSON-RPC messaging, tool execution, resource management, prompt handling, timeouts, and connection issues. This unified error handling approach ensures consistent and reliable error management across both synchronous and asynchronous operations.

mcp-test/src/main/java/io/modelcontextprotocol/client/AbstractMcpAsyncClientResiliencyTests.java

@@ -45,6 +45,7 @@ public abstract class AbstractMcpAsyncClientResiliencyTests {
 	private static final Logger logger = LoggerFactory.getLogger(AbstractMcpAsyncClientResiliencyTests.class);
 
 	static Network network = Network.newNetwork();
+
 	public static String host = "http://localhost:3001";
 
 	@SuppressWarnings("resource")