Mikhail Mazursky (Migrated from SEC-1772) said:
URLDecoder.decode(targetUrl, "UTF-8") call is not needed in org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler and it breaks URLs with GET parameters escaped in them.
p.s. also isUseReferer() is missing.
Luke Taylor said:
I've removed the decoding. This was part of the patch for SEC-213, which was related to CAS proxying. I'm not sure if there was a valid reason for it then, but CAS proxying no longer requires redirects, so it no longer seems necessary in any case.