@knoobie you’re right! I completely missed that issue.
And, yeah, it’s also weird that we have loginView methods that take a logoutSuccessUrl but not a loginSuccessUrl.
loginSuccessUrl should definitely be added to VaadinSecurityConfigurer.
The current workaround is to register a custom VaadinSavedRequestAwareAuthenticationSuccessHandler
VaadinSavedRequestAwareAuthenticationSuccessHandler successHandler = new VaadinSavedRequestAwareAuthenticationSuccessHandler();
successHandler.setDefaultTargetUrl("/main");
successHandler.setAlwaysUseDefaultTargetUrl(true);
http.setSharedObject(VaadinSavedRequestAwareAuthenticationSuccessHandler.class, successHandler);
http.with(vaadin(), c -> { ... });