UnAuthenticateAction.act() can cause a redirect loop if XMLUI is at the root (i.e. https://dspace.example.com/ not https://dspace.example.com/xmlui). After logging the user out, it redirects to the value of HttpServletRequest.getContextPath(), which for a root application is "", which is the relative path for "this page (again)". It should simply redirect to the value of dspace.url.
Noted in passing: we don't document where you should expect to land after logging out.
Noted in passing: act() tests an undocumented configuration value 'xmlui.public.logout' which appears nowhere else in the source kit, and if true, pastes up a complete URL using the context path and a constant 'http' scheme. This can be wrong if dspace.url uses the 'https' scheme, and it's likely never used anywhere anyway since you'd only know of it by reading the code. The intent here seems to be to force the session out of SSL – why, I can't imagine.