Spring Security HttpSessionRequestCache#getMatchingRequest passes decoded Request URL to UriComponentsBuilder

Hi there! Thanks for taking a look at this issue. Please let me know if you require more information. Let's discuss!

Describe the bug

HttpSessionRequestCache#getMatchingRequest relies on org.springframework.web.util.UriComponentsBuilder#fromUriString(String) to be able to handle decoded % characters.

To Reproduce

The org.springframework.web.util.UriComponentsBuilder#fromUriString(String) cannot handle a % followed by characters that result in false %-encoding.

@Test
void unencodedPercent(){
  assertThatRuntimeException().isThrownBy(() -> UriComponentsBuilder.fromUriString("/30 % off"));
}

This leads to a org.springframework.web.util.InvalidUrlException: Bad path when such a request gets to HttpSessionRequestCache#getMatchingRequest. An encoded request https://example.com/myapp/discounts/30%20%25%20off is returned decoded by UrlUtils#buildRequestUrl(HttpServletRequest. The UriComponentsBuilder cannot handle this decoded %

Expected behavior My request does not result in an InvalidUrlException.

Comment From: mkleine

In fact every request containing a properly encoded % sign followed by a non-hex character will cause an exception in line https://github.com/spring-projects/spring-security/blob/ec3cc66b647d35365c2f165c263f83ba3d27f063/web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java#L107 as the path of the URI to be checked is decoded as documented https://github.com/spring-projects/spring-security/blob/ec3cc66b647d35365c2f165c263f83ba3d27f063/web/src/main/java/org/springframework/security/web/util/UrlUtils.java#L85

The decoded URI could be parsed using WHAT_WG parser type but that's not configurable at that line. @marcusdacoregio can you confirm this analysis? You introduced this line in https://github.com/spring-projects/spring-security/commit/18e88366d284a1edfc2936081cd971439e14a743