Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-02-25 14:45:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix missing access attribute validation in AuthorizationFilterParser

Browse Source 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
This commit is contained in:
CHANHAN 2026-01-20 08:43:34 +09:00 committed by Robert Winch
parent 4d0627e6c0
commit f1e367f93d
No known key found for this signature in database
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
View File

@ -124,6 +124,11 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
List<Element> interceptMessages = DomUtils.getChildElementsByTagName(element, Elements.INTERCEPT_URL);
for (Element interceptMessage : interceptMessages) {
String accessExpression = interceptMessage.getAttribute(ATT_ACCESS);
if (!StringUtils.hasText(accessExpression)) {
parserContext.getReaderContext()
.error("access attribute cannot be empty or null", interceptMessage);
continue;
}
BeanDefinitionBuilder authorizationManager = BeanDefinitionBuilder
.rootBeanDefinition(WebExpressionAuthorizationManager.class);
authorizationManager.addPropertyReference("expressionHandler", expressionHandlerRef);