Skip to content

Improve error message for missing access attribute in intercept-url#18530

Merged
rwinch merged 4 commits intospring-projects:mainfrom
chanani:gh-18503
Feb 23, 2026
Merged

Improve error message for missing access attribute in intercept-url#18530
rwinch merged 4 commits intospring-projects:mainfrom
chanani:gh-18503

Conversation

@chanani
Copy link
Copy Markdown
Contributor

@chanani chanani commented Jan 20, 2026

Description

Improves error handling when <intercept-url> elements are missing the required access attribute.

Changes

  • Add validation in AuthorizationFilterParser to check for missing or empty access attribute
  • Add validation in FilterInvocationSecurityMetadataSourceParser for legacy mode
  • Add comprehensive test coverage for both authorization modes

Before

Missing or empty access attributes were silently accepted, causing cryptic errors during bean initialization:

java.lang.IllegalArgumentException: Cannot invoke "String.isEmpty()" because "access" is null

After

Clear error message at configuration parsing time:

Configuration problem: access attribute cannot be empty or null

Testing

  • Added test cases for missing access attribute
  • Added test cases for empty access attribute
  • Added test cases for valid access attribute
  • Tested both AuthorizationManager and legacy AccessDecisionManager modes

Fixes gh-18503

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 20, 2026
@chanani chanani mentioned this pull request Jan 20, 2026
Closed
@chanani
Copy link
Copy Markdown
Contributor Author

chanani commented Jan 22, 2026

Hi @rwinch ! 👋

I've submitted this PR to address issue #18503. This adds validation for missing or empty access attributes in <intercept-url> elements with clear error messages.

Would appreciate your review when you have time. Thank you!

@chanani
Copy link
Copy Markdown
Contributor Author

chanani commented Feb 9, 2026

Hi @rwinch ! Just checking in to see if someone could take a look at this when you have a moment. Thanks!

@rwinch rwinch closed this Feb 23, 2026
@rwinch rwinch reopened this Feb 23, 2026
@rwinch rwinch self-assigned this Feb 23, 2026
@rwinch rwinch added in: config An issue in spring-security-config type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 23, 2026
chanani and others added 4 commits February 23, 2026 15:16
@chanani @rwinch
fix missing access attribute validation in AuthorizationFilterParser
f1e367f 
Fixes spring-projectsgh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
@chanani @rwinch
fix missing access attribute validation in FilterInvocationSecurityMe…
fa87c78 
…tadataSourceParser

Fixes spring-projectsgh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
@chanani @rwinch
Add tests for intercept-url access attribute validation
d5ba9dc 
Fixes spring-projectsgh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
@rwinch
Fix checkstyle
53300be 
Issue spring-projectsgh-18530
@rwinch rwinch added this to the 7.1.0-M3 milestone Feb 23, 2026
@rwinch rwinch enabled auto-merge February 23, 2026 21:20
@rwinch
Copy link
Copy Markdown
Member

rwinch commented Feb 23, 2026

Thanks for the PR @chanani I've pushed fixes to the checkstyle and this will be merged as soon as the build passes

@rwinch rwinch merged commit 1ab17d9 into spring-projects:main Feb 23, 2026
7 checks passed
@chanani chanani deleted the gh-18503 branch February 24, 2026 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rwinch rwinch

Labels

in: config An issue in spring-security-config type: bug A general bug

Projects

None yet

Milestone

7.1.0-M3

Development

Successfully merging this pull request may close these issues.

intercept-url without access throws strange assertion error (spring / spring-security 6)

3 participants

@chanani @rwinch @spring-projects-issues