diff --git a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
index fab1e932c0..22c30bc185 100644
--- a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
@@ -337,6 +337,55 @@ public class InterceptUrlConfigTests {
 		assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
 	}
 
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenInterceptUrlMissingAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+				.isThrownBy(() -> this.spring.configLocations(this.xml("MissingAccess")).autowire())
+				.withMessageContaining("access attribute cannot be empty or null");
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenInterceptUrlEmptyAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+				.isThrownBy(() -> this.spring.configLocations(this.xml("EmptyAccess")).autowire())
+				.withMessageContaining("access attribute cannot be empty or null");
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenInterceptUrlValidAccessThenLoads() {
+		assertThatNoException()
+				.isThrownBy(() -> this.spring.configLocations(this.xml("ValidAccess")).autowire());
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenUseAuthorizationManagerFalseAndMissingAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+				.isThrownBy(() -> this.spring.configLocations(this.xml("MissingAccessLegacy")).autowire())
+				.withMessageContaining("access attribute cannot be empty or null");
+	}
+
+	/**
+	 * gh-18503
+	 */
+	@Test
+	public void configWhenUseAuthorizationManagerFalseAndEmptyAccessThenException() {
+		assertThatExceptionOfType(BeanDefinitionParsingException.class)
+				.isThrownBy(() -> this.spring.configLocations(this.xml("EmptyAccessLegacy")).autowire())
+				.withMessageContaining("access attribute cannot be empty or null");
+	}
+
 	private static RequestPostProcessor adminCredentials() {
 		return httpBasic("admin", "password");
 	}
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccess.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccess.xml
new file mode 100644
index 0000000000..26197d5bd4
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccess.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<intercept-url pattern="/admin/**" access="" />
+	</http>
+
+	<user-service>
+		<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+	</user-service>
+
+</b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccessLegacy.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccessLegacy.xml
new file mode 100644
index 0000000000..897a1852e4
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccessLegacy.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http use-authorization-manager="false">
+		<intercept-url pattern="/admin/**" access=""/>
+	</http>
+
+	<user-service>
+		<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+	</user-service>
+
+</b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccess.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccess.xml
new file mode 100644
index 0000000000..d09f24205b
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccess.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<intercept-url pattern="/admin/**"/>
+	</http>
+
+	<user-service>
+		<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+	</user-service>
+
+</b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccessLegacy.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccessLegacy.xml
new file mode 100644
index 0000000000..ad9f6ef9c9
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccessLegacy.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http use-authorization-manager="false">
+		<intercept-url pattern="/admin/**"/>
+	</http>
+
+	<user-service>
+		<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+	</user-service>
+
+</b:beans>
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-ValidAccess.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-ValidAccess.xml
new file mode 100644
index 0000000000..00a33b7f0f
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-ValidAccess.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http>
+		<intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />
+		<http-basic />
+	</http>
+
+	<user-service>
+		<user name="user" password="{noop}password" authorities="ROLE_USER"/>
+	</user-service>
+
+</b:beans>