fix: log access warning in dev mode (#23395)

caalador · web-flow · commit 2907dd7ff7f0 · 2026-02-03T10:33:38.000Z
Log layout denied by access rule as a warning when in development mode. fixes #23083
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/auth/AnnotatedViewAccessChecker.java b/flow-server/src/main/java/com/vaadin/flow/server/auth/AnnotatedViewAccessChecker.java
@@ -32,6 +32,8 @@
 import com.vaadin.flow.router.RouterLayout;
 import com.vaadin.flow.router.internal.RouteUtil;
 import com.vaadin.flow.server.RouteRegistry;
+import com.vaadin.flow.server.VaadinContext;
+import com.vaadin.flow.server.startup.ApplicationConfiguration;
 
 /**
  * Checks access to views using an {@link AccessAnnotationChecker}.
@@ -163,12 +165,16 @@ private void logDeniedByLayoutAccessRules(NavigationContext context,
 
     private void logDeniedByLayoutAccessRules(NavigationContext context,
             Class<?> layoutClass, String msg) {
-        if (context.isNavigating()) {
-            LOGGER.warn(msg, context.getNavigationTarget().getSimpleName(),
-                    layoutClass.getSimpleName());
+        if (context.isNavigating() || isDevelopmentMode(context)) {
+            if (!context.isNavigating()) {
+                msg = msg
+                        + " This access check was probably triggered by the security framework.";
+            }
+            LOGGER.warn(msg, context.getNavigationTarget().getName(),
+                    layoutClass.getName());
         } else {
-            LOGGER.trace(msg, context.getNavigationTarget().getSimpleName(),
-                    layoutClass.getSimpleName());
+            LOGGER.debug(msg, context.getNavigationTarget().getName(),
+                    layoutClass.getName());
         }
     }
 
@@ -178,4 +184,11 @@ private boolean isImplicitlyDenyAllAnnotated(Class<?> targetView) {
                 || targetView.isAnnotationPresent(RolesAllowed.class));
     }
 
+    private boolean isDevelopmentMode(NavigationContext context) {
+        VaadinContext vaadinContext = context.getRouter().getRegistry()
+                .getContext();
+        ApplicationConfiguration appConfig = ApplicationConfiguration
+                .get(vaadinContext);
+        return !appConfig.isProductionMode();
+    }
 }
