Routes broken when updating from 24.2.5 to 24.3.6

Hey,

I’ve tried to update a software from vaadin 24.2.5 to 24.3.6 today. Somehow now most of all routes are broken.
They all error Could not navigate to 'ROUTE NAME'. Still as the image shows the same route that is in the error message shows up as existing in the dev overview. What could be going on here when just updating to a new minor??

Thanks for you help

https://vaadin.com/blog/vaadin-flow-24.3-enhancing-dx-theming-upgrades-and-multi-select-combo-box-improvements

Second, version 24.3 introduces a new feature for navigation access control that allows for more granular control over user access within applications, ensuring that sensitive pages and resources are only accessible to authorized users.

Sounds like you have not enough rights to see that page

Sorry but a breaking change in a minor version?

I have disabled it and it works

but how can this be enabled by default in a minor

Security > Breaking Change

In 24.2 there was ViewAccessChecker, that performed the same check for annotations on views, so the behavior should have been the same
Did you disable it in some way previously?

I have a feeling he has spring security matchers configured

We use a custom implementation of ViewAccessChecker

Basically it checks for custom annotations:

@Primary
@Component
public class ViewPermissionEvaluator extends ViewAccessChecker {

    private final PermissionChecker annotationChecker;

    /**
     * Constructor.
     *
     * @param annotationChecker annotation checker
     */
    public ViewPermissionEvaluator(PermissionChecker annotationChecker) {
        super(annotationChecker);
        this.annotationChecker = annotationChecker;
    }

    /**
     * Additionally overwrites the function which queries the evaluation function
     * for rights with our own evaluation function.
     *
     * @param request vaadin request
     * @return evaluation function
     */
    @Override
    protected Function<String, Boolean> getRolesChecker(VaadinRequest request) {
        return annotationChecker.getEvaluationFunction(request);
    }

}

at least for us the new navigation stuff broke our application with that

I see. IIRC ViewAccessChecker was not meant to be a customizable extension point. The extension should have been AccessAnnotationChecker interface
Unfortunately, the class is missing the for internal use only note

Alright. If I understand the docs correctly, I need to implement a custom NavigationAccessChecker now. AccessAnnotationChecker will not be enough as we use non Spring annotations which will not be checked by the AnnotatedViewAccessChecker (which is delegating to an AccessAnnotationChecker afterwards)

Yes, I’d say a custom checker is the way to go.

In the custom ViewAccessChecker we override the getRolesChecker method. There is this one located now?

That method is in NavigationAccessControl, but checkers are supposed to use NavigationContext.hasRole to perform the verification.
May I ask why do you need to override it? It would be good to know to understand if the API needs additional hooks