From d5ba9dcadab5598e5a3e79a08a17075344a4f7b8 Mon Sep 17 00:00:00 2001
From: CHANHAN <130114269+chanani@users.noreply.github.com>
Date: Tue, 20 Jan 2026 13:21:55 +0900
Subject: [PATCH] Add tests for intercept-url access attribute validation
Fixes gh-18503
Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
---
.../config/http/InterceptUrlConfigTests.java | 49 +++++++++++++++++++
.../InterceptUrlConfigTests-EmptyAccess.xml | 19 +++++++
...erceptUrlConfigTests-EmptyAccessLegacy.xml | 19 +++++++
.../InterceptUrlConfigTests-MissingAccess.xml | 19 +++++++
...ceptUrlConfigTests-MissingAccessLegacy.xml | 19 +++++++
.../InterceptUrlConfigTests-ValidAccess.xml | 20 ++++++++
6 files changed, 145 insertions(+)
create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccess.xml
create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccessLegacy.xml
create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccess.xml
create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccessLegacy.xml
create mode 100644 config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-ValidAccess.xml
diff --git a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
index fab1e932c0..22c30bc185 100644
--- a/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/InterceptUrlConfigTests.java
@@ -337,6 +337,55 @@ public class InterceptUrlConfigTests {
assertThat(this.spring.getContext().getBean(AuthorizationManager.class)).isNotNull();
}
+ /**
+ * gh-18503
+ */
+ @Test
+ public void configWhenInterceptUrlMissingAccessThenException() {
+ assertThatExceptionOfType(BeanDefinitionParsingException.class)
+ .isThrownBy(() -> this.spring.configLocations(this.xml("MissingAccess")).autowire())
+ .withMessageContaining("access attribute cannot be empty or null");
+ }
+
+ /**
+ * gh-18503
+ */
+ @Test
+ public void configWhenInterceptUrlEmptyAccessThenException() {
+ assertThatExceptionOfType(BeanDefinitionParsingException.class)
+ .isThrownBy(() -> this.spring.configLocations(this.xml("EmptyAccess")).autowire())
+ .withMessageContaining("access attribute cannot be empty or null");
+ }
+
+ /**
+ * gh-18503
+ */
+ @Test
+ public void configWhenInterceptUrlValidAccessThenLoads() {
+ assertThatNoException()
+ .isThrownBy(() -> this.spring.configLocations(this.xml("ValidAccess")).autowire());
+ }
+
+ /**
+ * gh-18503
+ */
+ @Test
+ public void configWhenUseAuthorizationManagerFalseAndMissingAccessThenException() {
+ assertThatExceptionOfType(BeanDefinitionParsingException.class)
+ .isThrownBy(() -> this.spring.configLocations(this.xml("MissingAccessLegacy")).autowire())
+ .withMessageContaining("access attribute cannot be empty or null");
+ }
+
+ /**
+ * gh-18503
+ */
+ @Test
+ public void configWhenUseAuthorizationManagerFalseAndEmptyAccessThenException() {
+ assertThatExceptionOfType(BeanDefinitionParsingException.class)
+ .isThrownBy(() -> this.spring.configLocations(this.xml("EmptyAccessLegacy")).autowire())
+ .withMessageContaining("access attribute cannot be empty or null");
+ }
+
private static RequestPostProcessor adminCredentials() {
return httpBasic("admin", "password");
}
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccess.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccess.xml
new file mode 100644
index 0000000000..26197d5bd4
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccess.xml
@@ -0,0 +1,19 @@
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccessLegacy.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccessLegacy.xml
new file mode 100644
index 0000000000..897a1852e4
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-EmptyAccessLegacy.xml
@@ -0,0 +1,19 @@
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccess.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccess.xml
new file mode 100644
index 0000000000..d09f24205b
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccess.xml
@@ -0,0 +1,19 @@
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccessLegacy.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccessLegacy.xml
new file mode 100644
index 0000000000..ad9f6ef9c9
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-MissingAccessLegacy.xml
@@ -0,0 +1,19 @@
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-ValidAccess.xml b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-ValidAccess.xml
new file mode 100644
index 0000000000..00a33b7f0f
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/InterceptUrlConfigTests-ValidAccess.xml
@@ -0,0 +1,20 @@
+
+
+
+
+
+
+
+
+
+
+
+
+