From fa87c78edb8e1cd98867634463b79053d33d4ba7 Mon Sep 17 00:00:00 2001
From: CHANHAN <130114269+chanani@users.noreply.github.com>
Date: Tue, 20 Jan 2026 08:43:52 +0900
Subject: [PATCH] fix missing access attribute validation in
 FilterInvocationSecurityMetadataSourceParser

Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
---
 .../http/FilterInvocationSecurityMetadataSourceParser.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java b/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
index 8e174f18bd..442343d5ce 100644
--- a/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
@@ -142,10 +142,12 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
 		ManagedMap<BeanMetadataElement, BeanDefinition> filterInvocationDefinitionMap = new ManagedMap<>();
 		for (Element urlElt : urlElts) {
 			String access = urlElt.getAttribute(ATT_ACCESS);
+			String path = urlElt.getAttribute(ATT_PATTERN);
 			if (!StringUtils.hasText(access)) {
+				parserContext.getReaderContext()
+						.error("access attribute cannot be empty or null", urlElt);
 				continue;
 			}
-			String path = urlElt.getAttribute(ATT_PATTERN);
 			String matcherRef = urlElt.getAttribute(HttpSecurityBeanDefinitionParser.ATT_REQUEST_MATCHER_REF);
 			boolean hasMatcherRef = StringUtils.hasText(matcherRef);
 			if (!hasMatcherRef && !StringUtils.hasText(path)) {