The FormAuthenticationMechanism constructs the redirect URL including the following line:

sb.append(requestURI.getPath()); 

If the original request URL included any escaped characters these will have been lost by the call to getPath() meaning the Location sent back to the caller after authentication will be invalid.

Instead we need to call getRawPath() if we want to include it in the string concatenation.