fix missing access attribute validation in FilterInvocationSecurityMetadataSourceParser

Fixes gh-18503 Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
2026-02-25 14:45:14 +00:00 · 2026-01-20 08:43:52 +09:00 · 2026-01-20 08:43:52 +09:00 · fa87c78edb
commit fa87c78edb
parent f1e367f93d
1 changed files with 3 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
@ -142,10 +142,12 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
 		ManagedMap<BeanMetadataElement, BeanDefinition> filterInvocationDefinitionMap = new ManagedMap<>();
 		for (Element urlElt : urlElts) {
 			String access = urlElt.getAttribute(ATT_ACCESS);
+			String path = urlElt.getAttribute(ATT_PATTERN);
 			if (!StringUtils.hasText(access)) {
+				parserContext.getReaderContext()
+						.error("access attribute cannot be empty or null", urlElt);
 				continue;
 			}
-			String path = urlElt.getAttribute(ATT_PATTERN);
 			String matcherRef = urlElt.getAttribute(HttpSecurityBeanDefinitionParser.ATT_REQUEST_MATCHER_REF);
 			boolean hasMatcherRef = StringUtils.hasText(matcherRef);
 			if (!hasMatcherRef && !StringUtils.hasText(path)) {