How to permit child pages from root only

Question

I have a Spring Boot Vaadin web app with Spring Security and keycloak-spring-security-adapter.

This works fine on the root page. From the root page I can access the child page /edit/{id} without problems. But I want authenticated users to be able to call the child page with parameter directly. This is important, because another Vaadin web app with the same security should be able to access the edit page directly. This should work due to SSO.

I searched in books, tutorials and of cause Stackoverflow. But no solution did work. I read about CORS, but I must admit, I don't understand that enough.

This are my security configuration classes:

@KeycloakConfiguration
public class UiSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
    @Autowired
    private KeycloakClientRequestFactory factory;
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider();
        keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        auth.authenticationProvider(keyCloakAuthProvider);
    }
    @Bean
    @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
    public KeycloakRestTemplate restTemplate() {
        return new KeycloakRestTemplate(factory);
    }
    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }
    @Override
    public void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
            .cors().disable()
            .csrf().disable()
            .anonymous().disable()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .and()
            .authorizeRequests()
                .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
                .anyRequest().hasAnyRole("ROLE_trainer", "ROLE_admin");
    }
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
        // Vaadin Flow static resources //
        "/VAADIN/**",
        // the standard favicon URI
        "/favicon.ico",
        // the robots exclusion standard
        "/robots.txt",
        // web application manifest //
        "/manifest.webmanifest", "/sw.js", "/offline-page.html",
        // (development mode) static resources //
        "/frontend/**",
        // (development mode) webjars //
        "/webjars/**",
        // (production mode) static resources //
        "/frontend-es5/**", "/frontend-es6/**");
    }
    @Bean
    public static KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }
}

@Component
public class ConfigureUIServiceInitListener implements VaadinServiceInitListener {
    @Override
    public void serviceInit(ServiceInitEvent event) {
        event.getSource().addUIInitListener(uiEvent -> {
            final UI ui = uiEvent.getUI();
            ui.addBeforeEnterListener(this::beforeEnter);
        });
    }
    private void beforeEnter(BeforeEnterEvent event) {    
        Class<?> navigationTarget = event.getNavigationTarget();

        if (isSecureAndNotAuthentificated(navigationTarget)) {
            event.rerouteTo("");
        }
    }
    private boolean isSecureAndNotAuthentificated(Class<?> navigationTarget) {
        boolean userLoggedIn = SecurityUtils.isUserLoggedIn();
        return MainView.class.equals(navigationTarget) && !userLoggedIn;
    }
}

This is my keycloak development setting: These are the versions I use:

Spring Boot Starter: 2.6.2, Keycloak: 11.0.1, Vaadin: 14.4.2

How can I make other routes accessible for authenticated users via SSO?