From 4e6e421619ee9fa6dd36e260884be6e8552f4d77 Mon Sep 17 00:00:00 2001
From: Marco Collovati <marco@vaadin.com>
Date: Wed, 7 Jan 2026 07:43:48 +0100
Subject: [PATCH] docs: fix anyRequest default value in
 VaadinSecurityConfigurer

The default rule for anyRequest() changed from authenticated() to
denyAll() in Vaadin 25. Update the documentation to reflect this
behavior change.

Fixes #5048
---
 articles/flow/security/vaadin-security-configurer.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/articles/flow/security/vaadin-security-configurer.adoc b/articles/flow/security/vaadin-security-configurer.adoc
index 95d10837ad..39a892e1a7 100644
--- a/articles/flow/security/vaadin-security-configurer.adoc
+++ b/articles/flow/security/vaadin-security-configurer.adoc
@@ -172,7 +172,7 @@ Enables or disables configuration of `NavigationAccessControl`. `NavigationAcces
 public VaadinSecurityConfigurer anyRequest(Consumer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizedUrl> anyRequestAuthorizeRule)
 ----
 
-Configures the access rule for any request not matching other configured rules. The default rule is to require authentication, which is the equivalent of passing `AuthorizedUrl::authenticated()` to this method.
+Configures the access rule for any request not matching other configured rules. The default rule is to forbid the access, which is the equivalent of passing `AuthorizedUrl::denyAll()` to this method. This means that extra security rules (path matchers) are required for protected URLs not handled by the framework.
 
 [source,java]
 ----