Navigation Access Control documentation is missing a phase

[WoozyG]

Description

The documentation for NavigationAccessChecker notes the error handling phase, but it does not mention the anonymous route check phase. This is critical if your custom access checker wants to examine the Principal.

My custom checker is called twice per authentication, once with a null principal, and once with a valid one. At first I rejected the null case for pages that needed an authenticated login, but that caused an error because the user WAS logged in, and the annotation checker passed, as they had the right role. My fine grained check for current credential timing failed the initial pass, though, and a conflict was detected between ALLOW and DENY.

Instead I had to ignore a null principal with NEUTRAL, and then the second call would pass a principal that could be verified.

Expected outcome

Documentation should mention custom access checkers are called twice, once without the principal and once with it, and mention what to do if you need to deny requests without a valid principal - rejecting in the first call causes trouble.

Minimal reproducible example

if (context.getPrincipal() == null) return AccessCheckResult.neutral();

Steps to reproduce

create an additional access checker that rejects null principal.
enable annotation checking (in a Spring Boot project)
create a view with a role access annotation
navigate to the view in an authenticated session with the named role

Environment

Vaadin version(s): 24.9.4
OS: N/A

Browsers

No response

[mcollovati]

Relate to the issue, recently a change has been merged to make it possible for developers to determine if the checker is called during a navigation phase or not (NavigationContext.isNavigating())

[web-padawan]

Transferred the issue to the docs repository.