I’m currently adding security to my app.
I’ve set up the SecurityFilterChain with VaadinSecurityConfigurer, and (just for the start) added @AnonymousAllowed to my views.
However, I’m not able to navigate after login, and when I turned on debug logging I found this:
Denied access to view due to layout ‘MainLayout’ access rules
It works if I add @AnonymousAllowed also to the layout class, but is this intended?
Yes, this is by design, because a layout might contain sensitive information, so developers should explicitly set the access level.
However, it looks like the online documentation is not up-to-date
OK, thanks for the info.
Do the annotations on the views override the one on the layout?
I use the same layout for all my views, but not all views will have same access level.
No, they are checked separately. So both layout and view annotation should allow access.
Here’s the link to the PR that will update the online documentation: docs: correct security annotations inheritance on parent layouts by mcollovati · Pull Request #5170 · vaadin/docs · GitHub
Edit: I mean that if the annotation on the view is stricter, then it wins over the layout. But if it is narrower, the layout wins.