Skip to content

Improve error message for missing access attribute in intercept-url #18530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chanani wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Improve error message for missing access attribute in intercept-url #18530

chanani wants to merge 3 commits into from

Conversation

@chanani
Copy link

@chanani chanani commented Jan 20, 2026

Description

Improves error handling when <intercept-url> elements are missing the required access attribute.

Changes

  • Add validation in AuthorizationFilterParser to check for missing or empty access attribute
  • Add validation in FilterInvocationSecurityMetadataSourceParser for legacy mode
  • Add comprehensive test coverage for both authorization modes

Before

Missing or empty access attributes were silently accepted, causing cryptic errors during bean initialization:

java.lang.IllegalArgumentException: Cannot invoke "String.isEmpty()" because "access" is null

After

Clear error message at configuration parsing time:

Configuration problem: access attribute cannot be empty or null

Testing

  • Added test cases for missing access attribute
  • Added test cases for empty access attribute
  • Added test cases for valid access attribute
  • Tested both AuthorizationManager and legacy AccessDecisionManager modes

Fixes gh-18503

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 20, 2026
@chanani chanani mentioned this pull request Jan 20, 2026
Open
@chanani
Copy link
Author

chanani commented Jan 22, 2026

Hi @rwinch ! 👋

I've submitted this PR to address issue #18503. This adds validation for missing or empty access attributes in <intercept-url> elements with clear error messages.

Would appreciate your review when you have time. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

intercept-url without access throws strange assertion error (spring / spring-security 6)

2 participants

@chanani @spring-projects-issues