vaadin
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 2 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 2 additions & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PassThroughView.java
Lines changed: 3 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PassThroughView.java
Lines changed: 3 additions & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/resources/static/restricted/secret.txt
Lines changed: 1 addition & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/resources/static/restricted/secret.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
Lines changed: 3 additions & 1 deletion b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
Lines changed: 3 additions & 1 deletion
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
Lines changed: 19 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
Lines changed: 19 additions & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 2 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 2 additions & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PassThroughView.java
Lines changed: 3 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PassThroughView.java
Lines changed: 3 additions & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/resources/static/restricted/secret.txt
Lines changed: 1 addition & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/resources/static/restricted/secret.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
Lines changed: 3 additions & 1 deletion b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
Lines changed: 3 additions & 1 deletion
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
Lines changed: 19 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
Lines changed: 19 additions & 0 deletions
@@ -78,6 +78,8 @@ public void configure(HttpSecurity http) throws Exception {
                     .hasAnyRole(ROLE_ADMIN)
                 .requestMatchers(antMatchers("/home", "/hey/**"))
                     .permitAll()
+                .requestMatchers(antMatchers("/all-logged-in/**"))
+                    .authenticated()
         );
         // @formatter:on
 
 
@@ -16,12 +16,15 @@
 
 package com.vaadin.flow.spring.flowsecurity.views;
 
+import jakarta.annotation.security.PermitAll;
+
 import com.vaadin.flow.component.html.Div;
 import com.vaadin.flow.router.BeforeEnterEvent;
 import com.vaadin.flow.router.BeforeEnterObserver;
 import com.vaadin.flow.router.Route;
 
 @Route(value = "passthrough/:type(forward|reroute)")
+@PermitAll
 public class PassThroughView extends Div implements BeforeEnterObserver {
 
     @Override
 
@@ -0,0 +1 @@
+Top secret restricted content
@@ -44,7 +44,9 @@ public void tearDown() {
 
     private void checkForBrowserErrors() {
         checkLogsForErrors(msg -> msg.contains(
-                "admin-only/secret.txt - Failed to load resource: the server responded with a status of 403")
+                "restricted/secret.txt?continue - Failed to load resource: the server responded with a status of 403")
+                || msg.contains(
+                        "admin-only/secret.txt - Failed to load resource: the server responded with a status of 403")
                 || msg.contains(
                         "admin-only/secret.txt?continue - Failed to load resource: the server responded with a status of 403")
                 || (msg.contains("X-Atmosphere-Transport=close")
 
@@ -176,6 +176,25 @@ public void access_restricted_to_logged_in_users() {
         assertLoginViewShown();
     }
 
+    @Test
+    public void access_restricted_to_all_by_default() {
+        String path = "restricted/secret.txt";
+
+        openResource(path);
+        assertLoginViewShown();
+        loginUser();
+        assertForbiddenPage();
+        logout();
+
+        openResource(path);
+        loginAdmin();
+        assertForbiddenPage();
+        logout();
+
+        openResource(path);
+        assertLoginViewShown();
+    }
+
     @Test
     public void access_restricted_to_admin() {
         String contents = "Secret document for admin";
 
@@ -89,6 +89,8 @@ public SecurityFilterChain webFilterChain(HttpSecurity http,
                     .hasAnyRole(ROLE_ADMIN)
                 .requestMatchers(antMatchers("/home", "/hey/**"))
                     .permitAll()
+                .requestMatchers(antMatchers("/all-logged-in/**"))
+                    .authenticated()
                 );
         // @formatter:on
         http.with(vaadin(),
 
@@ -16,12 +16,15 @@
 
 package com.vaadin.flow.spring.flowsecurity.views;
 
+import jakarta.annotation.security.PermitAll;
+
 import com.vaadin.flow.component.html.Div;
 import com.vaadin.flow.router.BeforeEnterEvent;
 import com.vaadin.flow.router.BeforeEnterObserver;
 import com.vaadin.flow.router.Route;
 
 @Route(value = "passthrough/:type(forward|reroute)")
+@PermitAll
 public class PassThroughView extends Div implements BeforeEnterObserver {
 
     @Override
 
@@ -0,0 +1 @@
+Top secret restricted content
@@ -44,7 +44,9 @@ public void tearDown() {
 
     private void checkForBrowserErrors() {
         checkLogsForErrors(msg -> msg.contains(
-                "admin-only/secret.txt - Failed to load resource: the server responded with a status of 403")
+                "restricted/secret.txt?continue - Failed to load resource: the server responded with a status of 403")
+                || msg.contains(
+                        "admin-only/secret.txt - Failed to load resource: the server responded with a status of 403")
                 || msg.contains(
                         "admin-only/secret.txt?continue - Failed to load resource: the server responded with a status of 403")
                 || (msg.contains("X-Atmosphere-Transport=close")
 
@@ -178,6 +178,25 @@ public void access_restricted_to_logged_in_users() {
         assertLoginViewShown();
     }
 
+    @Test
+    public void access_restricted_to_all_by_default() {
+        String path = "restricted/secret.txt";
+
+        openResource(path);
+        assertLoginViewShown();
+        loginUser();
+        assertForbiddenPage();
+        logout();
+
+        openResource(path);
+        loginAdmin();
+        assertForbiddenPage();
+        logout();
+
+        openResource(path);
+        assertLoginViewShown();
+    }
+
     @Test
     public void access_restricted_to_admin() {
         String contents = "Secret document for admin";