Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix missing access attribute validation in FilterInvocationSecurityMetadataSourceParser

Browse Source 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
This commit is contained in:
CHANHAN
2026-01-20 08:43:52 +09:00
committed by Robert Winch
parent f1e367f93d
commit fa87c78edb
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/src/main/java/org/springframework/security/config/http/FilterInvocationSecurityMetadataSourceParser.java
+3 -1
View File
@@ -142,10 +142,12 @@ public class FilterInvocationSecurityMetadataSourceParser implements BeanDefinit
ManagedMap<BeanMetadataElement, BeanDefinition> filterInvocationDefinitionMap = new ManagedMap<>();
for (Element urlElt : urlElts) {
String access = urlElt.getAttribute(ATT_ACCESS);
String path = urlElt.getAttribute(ATT_PATTERN);
if (!StringUtils.hasText(access)) {
parserContext.getReaderContext()
.error("access attribute cannot be empty or null", urlElt);
continue;
}
String path = urlElt.getAttribute(ATT_PATTERN);
String matcherRef = urlElt.getAttribute(HttpSecurityBeanDefinitionParser.ATT_REQUEST_MATCHER_REF);
boolean hasMatcherRef = StringUtils.hasText(matcherRef);
if (!hasMatcherRef && !StringUtils.hasText(path)) {