Ok, I am getting your point. Thanks for that helpful explanation.
I've tried around with the plus sign in my browsers. It is never escaped as a literal plus sign.
If you enter http://example.com/ jvg+37xRX4tKphEsdgtSMg== in your browser, you will see that it does not escape anything, because it does not have to.
Yuk. I'm not sure about that. I am not escaping spaces with + or %20 by default. It's not something the average browser user would do, wouldn't they? Wouldn't they rather mean a plus sign if they put it in....?
Thinking about it - no, you could never know. The URL might have been copied from somewhere. So, it's ALWAYS interpreted as a space. But how then input a literal plus - as %2B? But the clients do not scan automatically for %2B, yet. They do have to know that it might come along.
If you submit "foo+bar", your browser will encode the + and do a request on http://www.google.nl/search?q=foo%2Bbar.
No, I've tried that. I am not able to trigger that conversion, neither on Firefox nor on Safari. (There are possiblity a lot of combinations I haven't tried, though.)
If anything, the issue you are having seem to be on the server side (in DispatcherServlet), where we seem to do too aggressive decoding by using URLDecoder for any request URL (see UrlPathHelper#decodeRequestString). Hence jvg+37xRX4tKphEsdgtSMg== that is decoded into jvg 37xRX4tKphEsdgtSMg==. I will do some further investigation on this, and create a new JIRA for that if necessary.
Is it really an error on the server side? I wondered about that when I described the test. But after your last comment I am not sure anymore.