FormAuthenticator.authenticate() can send the client an error response with Japanese characters. For example: response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm.getString("authenticator.sessionExpired")); This deviates from the HTTP RFC. From http://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html#sec6.1.1: Reason-Phrase = *<TEXT, excluding CR, LF> The TEXT rule is only used for descriptive field contents and values that are not intended to be interpreted by the message parser. Words of *TEXT MAY contain characters from character sets other than ISO- 8859-1 [22] only when encoded according to the rules of RFC 2047 [14]. This can cause some problems with some clients. For example, httpclient 3 reads the HTTP status line by looping over the line byte-by-byte, looking for the "\n" byte. The authenticator.sessionExpired Japanese string happens to contain a Japanese character for which one of the bytes matches "\n", breaking this logic.
As a work-around you should be able to set USE_CUSTOM_STATUS_MSG_IN_HEADER to false (the default). That said, Tomcat shouldn't be putting anything other than ISO-8859-1 in the headers. Patch to follow shortly to fix that.
Patch applied to trunk and proposed for 6.0.x and 5.5.x
The patch has been reverted from trunk following discussion on the dev list and the associated backport proposals withdrawn. A new patch will follow shortly.
A ne wpatch has been applied to trunk and proposed for 6.0.x and 5.5.x
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.
This has been fixed in 5.5.x and will be included in 5.5.29 onwards.