intercept-url without access throws strange assertion error (spring / spring-security 6)

[fabianfrz]

Describe the bug

Spring accepts broken config and then fails with cryptic stack trace that the constructor cannot be called with an empty string ("").

To Reproduce

add a spring security config section with this element:

<intercept-url pattern="/r/*"/> 

Then start up the application server that contains the spring webmvc deployment.

Expected behavior
A proper error message should be thrown or the xml could be rejected by adding validation that access is present

Sample

    <http use-expressions="true" create-session="never">
        <!-- this is how this element usually looks -->
        <intercept-url pattern="/test.jsp" access="hasRole('ADMIN') or hasRole('USER')"/>
        <!-- this will cause an error since access is not defined -->
        <intercept-url pattern="/r/*"/>
        <http-basic/>
        <csrf request-matcher-ref="csrfMatcherAll" disabled="false" />
        <headers>
            ...
        </headers>
        <access-denied-handler ref="customAccessDeniedHandler"/>
    </http>

[fabianfrz]

Method: org.springframework.security.config.http.AuthorizationFilterParser#createAuthorizationManager

[chanani]

Hi @fabianfrz ! I'd like to work on this issue.

Proposed Solution

I'll add validation to the AuthorizationFilterParser#createAuthorizationManager method to check if the access attribute is present and non-empty. When missing, it will throw a clear BeanCreationException with a helpful message like:

intercept-url element at line X must specify 'access' attribute.
Example: <intercept-url pattern="/admin/**" access="hasRole('ADMIN')"/>

This will replace the current cryptic assertion error with a clear, actionable error message.

Implementation Plan

1. Add validation in AuthorizationFilterParser.java
2. Include line number information from the XML element
3. Provide example usage in the error message
4. Add unit tests to verify the validation works

I'll start working on this and submit a PR soon. Please let me know if this approach looks good or if you'd prefer a different solution (e.g., XSD schema validation instead).

[fabianfrz]

Hi @chanani,

I actually do not prefer a specific solution. Any would be better than having to deeply debug the spring bean manager sources because of this issue (you need to find out where the empty constructor argument is coming from).

The advantage of adding it to the XSD is, that it does not need to be caught in java because it should already tell you in the IDE or at startup, that your xml config file is invalid, however maybe this affects Java based configuration as well but I have not tried it.

[chanani]

I've submitted a PR to fix this issue: #18530

The changes add validation for missing/empty access attributes in intercept-url elements with clear error messages.
If there are any issues or suggestions, please feel free to leave a review on the PR ! 🙇‍♂️

[fabianfrz]

for me, this is fine, however I am not a spring maintainer