Custom error handling for 404

maneesh2 · March 24, 2026, 5:44am

In my role based app , this works fine.

public class CustomAccessDeniedError extends RouteAccessDeniedError {

    @Override
    public int setErrorParameter(BeforeEnterEvent event, ErrorParameter<AccessDeniedException> parameter) {
        event.forwardTo(AccessDeniedView.class);
        return HttpServletResponse.SC_FORBIDDEN;
    }
}

However, this does not.

public class CustomNotFoundError extends RouteNotFoundError {

    @Override
    public int setErrorParameter(BeforeEnterEvent event, ErrorParameter<NotFoundException> parameter) {
        event.forwardTo(NotFoundView.class);
        return HttpServletResponse.SC_NOT_FOUND;
    }
}

Instead of the custom NotFoundView, I get a 403 on the browser.
What am I missing?

marcoc_753 · March 24, 2026, 5:49am

It looks like CustomNotFoundError is missing the @AnonymousAllowed annotation, if it has to be visible also for anonymous users.

ilias.akl · March 24, 2026, 12:22pm

I am struggling with spring security configuration. In Vaadin 25 I did not manage to configure spring security so, that unknown routes are not blocked automatically on spring security level.

This configuration blocks every unknown route, no custom vaadin error:

@Bean
SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
	return http //				
			.authorizeHttpRequests(auth -> auth.requestMatchers(VaadinSecurityConfigurer.getDefaultHttpSecurityPermitMatcher()).permitAll()) 
			...
			.with(VaadinSecurityConfigurer.vaadin(), vaadin -> vaadin.loginView(LoginView.class)) //
			.build();
	}

This configuration redirects routes to Vaadin and the custom error shows if unknown:

@Bean
SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
	return http.authorizeHttpRequests(auth -> auth.requestMatchers("/**").permitAll()) 
			...
			.with(VaadinSecurityConfigurer.vaadin(), vaadin -> vaadin.loginView(LoginView.class)) //
			.build();
	}

With the minimal Security configuration shown here:

it is also not possible to get a Vaadin 404, instead you get a spring security 403.

What am I missing? Any help is appreciated.

marcoc_753 · March 24, 2026, 1:27pm

In Vaadin 25, the default is to forbid access to any request, regardless of whether it matches a route or not.
You can tune the rule by using the VaadinSecurityConfigurator.anyRequest(...) method or disable Vaadin’s config with VaadinSecurityConfigurator.enableAuthorizedRequestsConfiguration(false) and set your own default rule (e.g., authenticated()).

ilias.akl · March 24, 2026, 1:49pm

Thank you! I did find the part. Maybe the documentation should be more clear. I know that it is now spring security default to deny all, but all the documentation about Router Exception Handling and in particular NotFoundException does not apply if spring security blocks any by default. Thanks again for pointing to the right direction!

marcoc_753 · March 24, 2026, 1:51pm

Thanks for the feedback. Do you mind creating a ticket on the documentation repository (GitHub · Where software is built)?

ilias.akl · March 24, 2026, 2:12pm

Done:

github.com/vaadin/docs

Improve Spring Security, VaadinSecurityConfigurer and NotFoundException documentation for Vaadin 25

opened 02:11PM - 24 Mar 26 UTC

iaklass

The existing documentation regarding Spring Security and Vaadin is generally suf…ficient, but it is not yet clear regarding NotFoundException. Since the default for any unknown request is now "deny all" it should be clarified in relation to "...CustomNotFoundTarget extends RouteNotFoundError..." that this configuration alone is NOT sufficient to trigger such a message. Additionally, the VaadinSecurityConfigurer has to be customized too. Please update the documentation.