From f1e367f93d62df64e9f674f94549cee722334a49 Mon Sep 17 00:00:00 2001
From: CHANHAN <130114269+chanani@users.noreply.github.com>
Date: Tue, 20 Jan 2026 08:43:34 +0900
Subject: [PATCH] fix missing access attribute validation in
 AuthorizationFilterParser

Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
---
 .../security/config/http/AuthorizationFilterParser.java      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java b/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
index 548649675f..2edf6e8f7f 100644
--- a/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/AuthorizationFilterParser.java
@@ -124,6 +124,11 @@ class AuthorizationFilterParser implements BeanDefinitionParser {
 		List<Element> interceptMessages = DomUtils.getChildElementsByTagName(element, Elements.INTERCEPT_URL);
 		for (Element interceptMessage : interceptMessages) {
 			String accessExpression = interceptMessage.getAttribute(ATT_ACCESS);
+			if (!StringUtils.hasText(accessExpression)) {
+				parserContext.getReaderContext()
+						.error("access attribute cannot be empty or null", interceptMessage);
+				continue;
+			}
 			BeanDefinitionBuilder authorizationManager = BeanDefinitionBuilder
 				.rootBeanDefinition(WebExpressionAuthorizationManager.class);
 			authorizationManager.addPropertyReference("expressionHandler", expressionHandlerRef);