Suppose a secured URL, that containes a special character (like '?'), which must be endoded according to RFC 3986.
Example: "/sevletname/foo%3Fbar.html", where "%3F" encodes the "?".
After an successfull login the URL is rebuild by org.springframework.security.util.UrlUtils.
But UrlUtils builds up the full URL from its decoded parts, so that the rebuild URL becomes something like "http://HOSTNAME:PORT/servletname/foo?bar.html", which is not encoded correctly, thus resulting in a 404-Error.
I suggest using the Request-URI, which is not decoded by the Servlet and contains - as far as I know, everything after the "http://HOSTNAME:PORT" up to the Query-String.
That URI is not decoded by the Servlet, thus, the rebuild full URL would be still valid.
Encoding the rebuild URL would not work, becaus all special characters (like contained slashes for example) would be encoded than, which is, as far as I know, not correct.