PicketLink: picketlink-bindings/picketlink-tomcat-common/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator.java The authenticate(..) method read parameters from the request before the character encoding is set by it's super method. By the time super sets it, it's to late and application will be using the wrong encoding. 265 public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException { ... 282 String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY); 283 String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY); ... 306 return localAuthentication(request, response, loginConfig); which in turn does: 337 return super.authenticate(request, response, loginConfig); and the tomcat valve: if (characterEncoding != null) { request.setCharacterEncoding(characterEncoding); So PicketLink read its parameters before the tomcat valve has a chance to set the encoding by which time it's to late. Solution: Add: if (characterEncoding != null) { request.setCharacterEncoding(characterEncoding); } as the first action in the PicketLink authenticate(..) method
resolved in PicketLink 2.1.8 Will mark this bug as resolved once the pull-request is merged. https://github.com/picketlink2/federation/pull/184
Release notes text added for inclusion in the JBoss EAP 6.2.0 Release Notes.