From 7982269979f8b58d10eb5845e9539679f87ef03c Mon Sep 17 00:00:00 2001
From: Artur Signell <artur@vaadin.com>
Date: Tue, 24 Mar 2026 17:34:08 +0000
Subject: [PATCH] docs: document security annotations required for custom error
 views

Custom error handler views like RouteNotFoundError subclasses need
security annotations (e.g., @AnonymousAllowed) when using
VaadinSecurityConfigurer, which denies all unannotated views by default.
Without this, users see a generic error page instead of their custom
not-found page.

Adds cross-references between the routing exceptions, protect views,
security configurer, and enabling security pages so users can discover
this requirement from any entry point.

Fixes vaadin/docs#5378
---
 articles/building-apps/security/protect-views.adoc     | 4 ++++
 articles/flow/routing/exceptions.adoc                  | 6 ++++++
 articles/flow/security/enabling-security.adoc          | 2 ++
 articles/flow/security/vaadin-security-configurer.adoc | 3 +++
 4 files changed, 15 insertions(+)

diff --git a/articles/building-apps/security/protect-views.adoc b/articles/building-apps/security/protect-views.adoc
index a9a257e143..5c23565c9a 100644
--- a/articles/building-apps/security/protect-views.adoc
+++ b/articles/building-apps/security/protect-views.adoc
@@ -76,6 +76,10 @@ public class AdminView extends Main {
 [IMPORTANT]
 When protecting views, ensure the router layout also allows access. If a view is accessible but its parent layout is restricted, users will still be blocked.
 
+.Error Views Need Security Annotations Too
+[NOTE]
+Custom error handler views -- such as a class extending [classname]`RouteNotFoundError` -- are also subject to access control. Add an appropriate security annotation (e.g., [annotationname]`@AnonymousAllowed`) to ensure they are accessible. Without an annotation, users may see a generic error page instead of your custom error view. See <<{articles}/flow/routing/exceptions#,Router Exception Handling>> for more details.
+
 
 === Annotation Inheritance
 
diff --git a/articles/flow/routing/exceptions.adoc b/articles/flow/routing/exceptions.adoc
index ee5a4d8421..14fc641aac 100644
--- a/articles/flow/routing/exceptions.adoc
+++ b/articles/flow/routing/exceptions.adoc
@@ -55,6 +55,7 @@ You can override the default exception handlers by extending them. The example h
 [source,java]
 ----
 @ParentLayout(MainLayout.class)
+@AnonymousAllowed // <1>
 public class CustomNotFoundTarget
         extends RouteNotFoundError {
 
@@ -67,6 +68,11 @@ public class CustomNotFoundTarget
     }
 }
 ----
+<1> Required when using `VaadinSecurityConfigurer` so that unauthenticated users can see the custom error page. Use `@PermitAll` instead if only authenticated users should see it.
+
+.Spring Security Integration
+[IMPORTANT]
+When using [classname]`VaadinSecurityConfigurer` (or the deprecated [classname]`VaadinWebSecurity`), all views are denied by default unless explicitly annotated. This applies to error views as well. Without an appropriate annotation, users may see a generic error page instead of your custom not-found page. See <<{articles}/building-apps/security/protect-views#,Protect Views>> and <<{articles}/flow/security/vaadin-security-configurer#configurer,Vaadin Security Configurer>> for more details.
 
 Only extending instances are allowed. Exception targets may define [classname]`ParentLayouts`. [classname]`BeforeNavigationEvent` and [classname]`AfterNavigationEvent` are still sent, as with normal navigation. One exception may only have one exception handler.
 
diff --git a/articles/flow/security/enabling-security.adoc b/articles/flow/security/enabling-security.adoc
index 8f30dc3f90..24f3fc898e 100644
--- a/articles/flow/security/enabling-security.adoc
+++ b/articles/flow/security/enabling-security.adoc
@@ -451,6 +451,8 @@ public static class CustomAccessDeniedError extends Component
 
 [interfacename]`HasErrorParameter` error view needs an access control annotation, so that Vaadin allows navigation to it. The example above uses [annotationname]`@PermitAll`, but [annotationname]`@RolesAllowed` can also be used. [annotationname]`@AnonymousAllowed` isn't recommended, as it exposes information about access restrictions to the anonymous users.
 
+The same applies to custom [classname]`RouteNotFoundError` subclasses -- they also need a security annotation to be accessible. See <<{articles}/flow/routing/exceptions#,Router Exception Handling>>.
+
 If you want to reroute to a different error type, you would do something like the following example. It reroutes unauthorized administrative views to the [classname]`RouteNotFoundError` view, which is the default view for [classname]`NotFoundException` type.
 
 [source,java]
diff --git a/articles/flow/security/vaadin-security-configurer.adoc b/articles/flow/security/vaadin-security-configurer.adoc
index 39a892e1a7..4928069904 100644
--- a/articles/flow/security/vaadin-security-configurer.adoc
+++ b/articles/flow/security/vaadin-security-configurer.adoc
@@ -174,6 +174,9 @@ public VaadinSecurityConfigurer anyRequest(Consumer<AuthorizeHttpRequestsConfigu
 
 Configures the access rule for any request not matching other configured rules. The default rule is to forbid the access, which is the equivalent of passing `AuthorizedUrl::denyAll()` to this method. This means that extra security rules (path matchers) are required for protected URLs not handled by the framework.
 
+[NOTE]
+This catch-all rule applies to HTTP requests only. Vaadin error handler views (e.g., custom [classname]`RouteNotFoundError` subclasses) are controlled at the navigation level by security annotations like [annotationname]`@AnonymousAllowed`. See <<{articles}/flow/routing/exceptions#,Router Exception Handling>> for details on annotating custom error views.
+
 [source,java]
 ----
 public RequestMatcher defaultPermitMatcher()