Access control does not work properly when using @Layout with Hilla views

[Artur-]

Description of the bug

If you have a Hilla view that is rendered inside a @Layout Java layout, then access to the Hilla view is always denied

Expected behavior

Access control is based on the Hilla view settings

Minimal reproducible example

start.vaadin.com -> add a hilla view with AC "logged in" -> download -> select flow main layout

Versions

Hilla: 24.5.0.beta4 Flow: 24.5.0.beta3 Vaadin: 24.5.0.beta4 Copilot: 24.5.0.beta3 Frontend Hotswap: Enabled, using Vite OS: aarch64 Mac OS X 15.0 Java: JetBrains s.r.o. 21.0.3 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Java Hotswap: false IDE Plugin: ☑ 1.0.0

[mshabarov]

Acceptance Criteria:

• [ ] Flow denies navigation by default for AtRoute and AtLayout (new annotation in 24.5), i.e. if no access annotations are placed on these classes and if no URL-based security rules are set.
• [ ] For old RouterLayout API Flow should work as in 24.4 regarding access control, Hilla endpoints should be the same as well.
• [ ] Hilla allows public access by default for Hilla views.
• [ ] Access control rules for AtLayout is a priority for access control comparing to what AtRoute does have, e.g. if AtLayout class has a role protection, all the routes within this layout should have this role, else restrict the access, no matter if they are public or login protected.
• [ ] Dynamic Flow routes should behave as in 24.4.

This table represents the requirements for all the combinations for Flow/Hilla main layouts vs access control rules: