Blank Login View after navigating from @AnonymousAllowed to @PermitAll view

My Login View works perfectly in most cases, but whenever I navigate programmatically from a @AnonymousAllowed view to a @PermitAll view (while not being authenticated yet), then the login view is blank (white, no content in the body except the outlet and the connection-indicator).

When I navigate from/to the same view by typing the url manually, the login view works and also redirects properly after successful login.

Am I doing something wrong? Is this a known issue? Is there a fix or a workaround?

Vaadin version 24.6.5, also tried with 24.7.1

@Route(value = "Test")
@AnonymousAllowed
public class TestView extends VerticalLayout {

    public TestView() {
        add(new Button("Navigate to authenticated view", click -> {
            UI.getCurrent().navigate(SomeAuthenticatedView.class);
        }));
    }

}

@Route(value = "authenticated")
@PermitAll
public class SomeAuthenticatedView extends VerticalLayout {

    public TestView() {
        add(new Span("You are authenticated."));
    }

}

@Route(value = "login")
@AnonymousAllowed
public class LoginView extends VerticalLayout {

    public LoginView() {
        LoginOverlay loginOverlay = new LoginOverlay();
        loginOverlay.setAction("login");
        loginOverlay.setOpened(true);
        loginOverlay.setI18n(prepareLoginI18N());
    }

}

A screenshot of the HTML of the login view when the bug happens:

What do you expect to happen? Navigating as anonymous User should NOT render the view requiring authentication.

I expect the login form to show up, not the authenticated view. The issue is that it looks like it tries to navigate to the loginView as expected, but the login form doesnt show up at all, the page is just completely empty.

I would suggest to create an issue on GitHub. Sounds like an edge case. Even tho I don’t think it would be s reasonable default that the login form is shown. It only takes into account that the user is anonymous. While for example navigation from /user to /admin should probably result in a 404 page.

Personally I would say: it’s your job as developer to redirect the user accordingly.

Can you provide some more details regarding your security setup / configuration? Also the html dom is unfortunately not expanded, so it is hard to tell, what the shown view content is.

Security config:

@Configuration
@EnableWebSecurity
public class UiSecurityConfiguration extends VaadinWebSecurity {
    public static final String LOGIN_URL = "/login";

    public UiSecurityConfiguration () {
    }

    @Bean
    AuthenticationManager authManager(HttpSecurity httpSecurity, LogoutAuthenticationProvider logoutAuthenticationProvider) throws Exception {
        AuthenticationManagerBuilder authenticationManagerBuilder = (AuthenticationManagerBuilder)httpSecurity.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.authenticationProvider(logoutAuthenticationProvider);
        return (AuthenticationManager)authenticationManagerBuilder.build();
    }

    public void configure(HttpSecurity http) throws Exception {
        // this security config should only apply to paths that don't include /api/**
        http.securityMatcher(new NegatedRequestMatcher(new AntPathRequestMatcher("/api/**")));
        http.authorizeHttpRequests((auth) -> {
            // allow images to be served
            ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl)auth.requestMatchers((String[])this.getSecurityIgnoredPathsAndFiles().toArray(new String[0]))).permitAll();
        });
        this.setLoginView(http, LoginView.class, LOGIN_URL);
        super.configure(http);
    }

    private List<String> getSecurityIgnoredPathsAndFiles() {
        return Arrays.asList("/images/**");
    }
}

The HTML dom is expanded. This is what it looks like when the login view works: