I was trying Vaadin 24.5 @Layout
The result is
According to the documentation I need to add @AnonymousAllowed and with that, it works.
But why? The Layout is not a Route and it’s very confusing to add security annotations on a layout
The criteria for it are documented here if that helps: Access control does not work properly when using @Layout with Hilla views · Issue #20097 · vaadin/flow · GitHub
Personally, I’m not using Vaadin’s Security Annotations on views… so I did not came across this problem (custom security config)
Thanks for the link but this is for Hilla.
The question is why do I need to add @AnonymousAllowed to the Layout. I cannot navigate to the layout. This simply doesn’t make sense to me.
The comment by @mikhail.21 should contain also flow related informations. He might get this tag to get back to us :)
It’s by design, access control for @Layout is denied by default to be consistent with the whole access control default for server-side views.
This may give some context Access control does not work properly when using @Layout with Hilla views · Issue #20097 · vaadin/flow · GitHub
The essential idea behind is:
- Align access control behaviour between Flow and Hilla views, so the access resolution is the same if they have the same protection rules.
- Being able to configure access control for a layout, including both Hilla and Flow, that then gives a priority over what is configured for exact views.
- Flow layout defaults to deny because Flow views default to deny. Hilla layout defaults to allow all because Hilla views are allowed for all by default.
Thanks for the explanation but I still don’t understand why the layout needs a security annotation. I cannot use a layout without a view.
Or do I miss something?