I think this all began when our login process was changed because we use a CM for our home page (and various other pages).
Basically what is happening is people are bookmarking our login page. To get there you go through protected pages/actions (our login is loginBounce.do from the home page, for example). The url rewrite filter checks for http/https and switches context, pushing to another page which loads the final action which simply displays the login form JSP.
If you follow that process and log in, it works. When users bookmark that final page/form and submit it we get a 400 error.
My head is spinning looking through all the redirect xml files, login-config, rewrites, web... etc. I have no idea what is going on here and what process it (JBOSS 4.x) is going through and how we end up with a BAD REQUEST error. The login page itself is the standard j_username/j_password deal...
It seems like (to me) that somewhere in all the filters something is being altered, lost, dropped ... I don't know. But I am going crazy trying to figure it out.
I guess what I want to know is what could cause j_security_check to return a 400 error?
So I did more research... and the problem is that people should not go directly TO the login.jsp... but when you use a protected page and get redirected to this action/page, how can you PREVENT people from bookmarking it right then and there? That's what is happening... the login form comes up... people bookmark it. All I can think to do is to have a link saying "bookmark this page" and actually have it bookmark a protected action... what do you think?