I think this all began when our login process was changed because we use a CM for our home page (and various other pages).
Basically what is happening is people are bookmarking our login page. To get there you go through protected pages/actions (our login is loginBounce.do from the home page, for example). The url rewrite filter checks for http/https and switches context, pushing to another page which loads the final action which simply displays the login form JSP.
If you follow that process and log in, it works. When users bookmark that final page/form and submit it we get a 400 error.
My head is spinning looking through all the redirect xml files, login-config, rewrites, web... etc. I have no idea what is going on here and what process it (JBOSS 4.x) is going through and how we end up with a BAD REQUEST error. The login page itself is the standard j_username/j_password deal...
It seems like (to me) that somewhere in all the filters something is being altered, lost, dropped ... I don't know. But I am going crazy trying to figure it out.
I guess what I want to know is what could cause j_security_check to return a 400 error?
Thank you!