vaadin-upload : Upload forbidden

Hi, I tested the vaadin-upload component within a hilla app successfully as long security is not ‘enabled’.
There a few things I noticed:

  1. I can change the target url to a nonexisting url and still get an status 200 in the UploadResponse Event. So what is the expected behaviour here ?
  2. when enabling security (following the hilla in-depth tutorial) I get a ‘Upload forbidden’ in the page and status 403 (obviously).
    With the separate controller (not @Endpoint - which is not usable according to the docs) there seems to be missing something in the request ? (csrf token e.g.)
    I tried to use http.csrf( c → c.disable()) in the security configuration but that did not help.

Is there a working hilla example with authentication (stateless jws) enabled ?