Misleading warning about denied main layout when using permitAll annotation

[stefanuebe]

Description of the bug

I have a main layout, annotated with the @PermitAll annotation and some views. After the login, everything is shown as expected, but the log prints

Denied access to view due to layout 'MainLayout' access rules

when the page is reloaded.

This warning is misleading and irritating, as the main layout seems to be accessible and usable without any further restrictions. The warning comes from the hasRole access check in the AnnotatedViewAccessCheck on line 84+

boolean hasAccess = accessAnnotationChecker.hasAccess(layout,
        context.getPrincipal(), context::hasRole);
if (!hasAccess) {
    LOGGER.warn(
            "Denied access to view due to layout '{}' access rules",
            layout.getSimpleName());
            ...

Expected behavior

Warnings about denied access should only occur, when there is an issue.

Minimal reproducible example

Download a starter and setup the basic configuration, using a login view. Configure the main layout with a permit all annotation and add a simple view.

LoginView.java

@Route(value = "login", autoLayout = false)
@AnonymousAllowed
public class LoginView extends VerticalLayout  {
    public LoginView() {
        LoginForm login = new LoginForm();
        login.setAction("login");
        add(login);
    }
}

SecurityConfiguration.java

@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfiguration {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth.requestMatchers("/public/**").permitAll());
        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> configurer.loginView(LoginView.class));
        return http.build();
    }

    @Bean
    public UserDetailsManager userDetailsService() {
        return new InMemoryUserDetailsManager(User.withUsername("user").password("{noop}user").roles("USER").build());
    }
}

MainLayout.java

@Layout
@PermitAll
public class MainLayout extends VerticalLayout implements RouterLayout {
    public MainLayout() {
        add(new Span("HEADER"));
    }
}

SampleView.java

@Route("")
@PermitAll
public class SampleView extends VerticalLayout {
    public SampleView() {
        add(new Span("Hello World!"));
    }
}

Versions

• Vaadin / Flow version: 24.9.4 / 25-b4
• Java version: 21
• OS version: Windows 11
• Browser version (if applicable): Chrome
• Application Server (if applicable): Spring embedded Tomcat
• IDE (if applicable): Intellij IDEA

[mcollovati]

Adding some context here: the Denied access to view due to layout 'MainLayout' access rules originates from RequestUtil.isAnonymousRouteInternal(...) method, that is used as a request matcher in the Spring Security configuration.
In that method, NavigationAccessControl.checkAccess() is called with a null principal to verify if the route is public, but this produces the misleading message.

We should find a way to distinguish between navigation requests and "check" calls, in the annotatio checker and only log for navigation requests. Maybe something we can add to NavigationContext.