docs: document security annotations required for custom error views

articles/building-apps/security/protect-views.adoc

@@ -76,6 +76,10 @@ public class AdminView extends Main {
 [IMPORTANT]
 When protecting views, ensure the router layout also allows access. If a view is accessible but its parent layout is restricted, users will still be blocked.
 
+.Error Views Need Security Annotations Too
+[NOTE]
+Custom error handler views -- such as a class extending [classname]`RouteNotFoundError` -- are also subject to access control. Add an appropriate security annotation (e.g., [annotationname]`@AnonymousAllowed`) to ensure they are accessible. Without an annotation, users may see a generic error page instead of your custom error view. See <<{articles}/flow/routing/exceptions#,Router Exception Handling>> for more details.
+
 
 === Annotation Inheritance
 

articles/flow/routing/exceptions.adoc

@@ -55,6 +55,7 @@ You can override the default exception handlers by extending them. The example h
 [source,java]
 ----
 @ParentLayout(MainLayout.class)
+@AnonymousAllowed // <1>
 public class CustomNotFoundTarget
         extends RouteNotFoundError {
 
@@ -67,6 +68,11 @@ public class CustomNotFoundTarget
     }
 }
 ----
+<1> Required when using `VaadinSecurityConfigurer` so that unauthenticated users can see the custom error page. Use `@PermitAll` instead if only authenticated users should see it.
+
+.Spring Security Integration
+[IMPORTANT]
+When using [classname]`VaadinSecurityConfigurer` (or the deprecated [classname]`VaadinWebSecurity`), all views are denied by default unless explicitly annotated. This applies to error views as well. Without an appropriate annotation, users may see a generic error page instead of your custom not-found page. See <<{articles}/building-apps/security/protect-views#,Protect Views>> and <<{articles}/flow/security/vaadin-security-configurer#configurer,Vaadin Security Configurer>> for more details.
 
 Only extending instances are allowed. Exception targets may define [classname]`ParentLayouts`. [classname]`BeforeNavigationEvent` and [classname]`AfterNavigationEvent` are still sent, as with normal navigation. One exception may only have one exception handler.
 

articles/flow/security/enabling-security.adoc

@@ -451,6 +451,8 @@ public static class CustomAccessDeniedError extends Component
 
 [interfacename]`HasErrorParameter` error view needs an access control annotation, so that Vaadin allows navigation to it. The example above uses [annotationname]`@PermitAll`, but [annotationname]`@RolesAllowed` can also be used. [annotationname]`@AnonymousAllowed` isn't recommended, as it exposes information about access restrictions to the anonymous users.
 
+The same applies to custom [classname]`RouteNotFoundError` subclasses -- they also need a security annotation to be accessible. See <<{articles}/flow/routing/exceptions#,Router Exception Handling>>.
+
 If you want to reroute to a different error type, you would do something like the following example. It reroutes unauthorized administrative views to the [classname]`RouteNotFoundError` view, which is the default view for [classname]`NotFoundException` type.
 
 [source,java]

articles/flow/security/vaadin-security-configurer.adoc

@@ -174,6 +174,9 @@ public VaadinSecurityConfigurer anyRequest(Consumer<AuthorizeHttpRequestsConfigu
 
 Configures the access rule for any request not matching other configured rules. The default rule is to forbid the access, which is the equivalent of passing `AuthorizedUrl::denyAll()` to this method. This means that extra security rules (path matchers) are required for protected URLs not handled by the framework.
 
+[NOTE]
+This catch-all rule applies to HTTP requests only. Vaadin error handler views (e.g., custom [classname]`RouteNotFoundError` subclasses) are controlled at the navigation level by security annotations like [annotationname]`@AnonymousAllowed`. See <<{articles}/flow/routing/exceptions#,Router Exception Handling>> for details on annotating custom error views.
+
 [source,java]
 ----
 public RequestMatcher defaultPermitMatcher()