TYPO3.Flow

Did you try to call the protected action manually, or via a Fluid generated link?
I'm asking, because to call protected action you also need to pass a csrfToken in the URL.
If the link is generated by Fluid, the URL contains the csrfToken automatically.

Another option is to annotate the action with @FLOW3\SkipCsrfProtection.

No real documentation for this yet, but here is an explanation:
[[http://media.netlogix.de/community/details/artikel/csrf-protection-in-typo3-phoenix-kindly-provided-by-flow3]]

It is the first call to the Site. Meaning a user calls a domain like: http://mydomain
This url is linked to a site, which is under ACL restriction. The idea is that the user becomes redirected to the login in case that he is not logged in or can see the content of the page in case that he is already authenticated.

The controller method is already annotated with @FLOW3\SkipCsrfProtection

I can confirm this problem on latest Flow master. I think that either throwing an "AccessDeniedException" is wrong here or that the RequestDispatchingAspect should also redirect to the login form in case the access was denied.

As far as I understand the concept, "AccessDeniedException"s should be thrown when there is no hope that the user might gain access with a login, i.e. they are already logged in but don't have the neccessary permissions to view the requested resource.
OTOH, the "AuthenticationRequiredException" is thrown when no user has authenticated, but authentication is required to view the desired resource.

The flaws seem to be at various other locations in the system, where no check is performed to see if a user is authenticated or not before throwing an exception - the exception used would depend on that. I'd like to check with the Flow team what part should be fixed here.

Will/can this maybe be resolved with https://review.typo3.org/#/c/18695/6 ?