diff --git a/src/main/java/im/zhaojun/common/security/MySecurityConfig.java b/src/main/java/im/zhaojun/common/security/MySecurityConfig.java
index 6b22fd3..25915cc 100644
--- a/src/main/java/im/zhaojun/common/security/MySecurityConfig.java
+++ b/src/main/java/im/zhaojun/common/security/MySecurityConfig.java
@@ -12,6 +12,8 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.StrictHttpFirewall;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
@@ -98,6 +100,13 @@ public class MySecurityConfig extends WebSecurityConfigurerAdapter {
         http.csrf().disable();
     }
 
+    @Bean
+    public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
+        StrictHttpFirewall firewall = new StrictHttpFirewall();
+        firewall.setAllowUrlEncodedPercent(true);
+        return firewall;
+    }
+
     @Override
     public void configure(AuthenticationManagerBuilder web) throws Exception {
         web.userDetailsService(myUserDetailsServiceImpl()).passwordEncoder(passwordEncoder());
@@ -112,6 +121,7 @@ public class MySecurityConfig extends WebSecurityConfigurerAdapter {
     public void configure(WebSecurity web) {
         //对于在header里面增加token等类似情况，放行所有OPTIONS请求。
         web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
+        web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
     }
 
     @Bean