From b2a2e69af5c7c0b4441a056caaee4031abd716cd Mon Sep 17 00:00:00 2001
From: zhaojun1998 <root@zhaojun.im>
Date: Wed, 8 Jan 2020 21:22:03 +0800
Subject: [PATCH] =?UTF-8?q?:lock:=20=E5=85=B3=E9=97=AD=20URL=20=E9=83=A8?=
 =?UTF-8?q?=E5=88=86=E6=A0=A1=E9=AA=8C,=20=E5=85=81=E8=AE=B8=E4=B8=AD?=
 =?UTF-8?q?=E6=96=87=E6=96=87=E4=BB=B6=E5=90=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../im/zhaojun/common/security/MySecurityConfig.java   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/main/java/im/zhaojun/common/security/MySecurityConfig.java b/src/main/java/im/zhaojun/common/security/MySecurityConfig.java
index 6b22fd3..25915cc 100644
--- a/src/main/java/im/zhaojun/common/security/MySecurityConfig.java
+++ b/src/main/java/im/zhaojun/common/security/MySecurityConfig.java
@@ -12,6 +12,8 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.StrictHttpFirewall;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
@@ -98,6 +100,13 @@ public class MySecurityConfig extends WebSecurityConfigurerAdapter {
         http.csrf().disable();
     }
 
+    @Bean
+    public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
+        StrictHttpFirewall firewall = new StrictHttpFirewall();
+        firewall.setAllowUrlEncodedPercent(true);
+        return firewall;
+    }
+
     @Override
     public void configure(AuthenticationManagerBuilder web) throws Exception {
         web.userDetailsService(myUserDetailsServiceImpl()).passwordEncoder(passwordEncoder());
@@ -112,6 +121,7 @@ public class MySecurityConfig extends WebSecurityConfigurerAdapter {
     public void configure(WebSecurity web) {
         //对于在header里面增加token等类似情况，放行所有OPTIONS请求。
         web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
+        web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
     }
 
     @Bean