diff --git a/ballcat-admin/ballcat-admin-core/pom.xml b/ballcat-admin/ballcat-admin-core/pom.xml
index 1b1148a..8c1b9b7 100644
--- a/ballcat-admin/ballcat-admin-core/pom.xml
+++ b/ballcat-admin/ballcat-admin-core/pom.xml
@@ -10,10 +10,9 @@
 	<artifactId>ballcat-admin-core</artifactId>
 
 	<dependencies>
-		<!--mybatis plus-->
 		<dependency>
-			<groupId>com.baomidou</groupId>
-			<artifactId>mybatis-plus-boot-starter</artifactId>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-spring-boot-starter-web</artifactId>
 		</dependency>
 		<!-- 脱敏工具 -->
 		<dependency>
@@ -37,23 +36,15 @@
 			<groupId>org.ballcat</groupId>
 			<artifactId>ballcat-spring-boot-starter-redis</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-spring-boot-starter-web</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.ballcat</groupId>
 			<artifactId>ballcat-spring-boot-starter-xss</artifactId>
 		</dependency>
-		<!-- 基于 spring authorization server 的授权服务器 -->
-		<dependency>
-			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-spring-security-oauth2-authorization-server</artifactId>
-			<scope>provided</scope>
-		</dependency>
+
+		<!--mybatis plus-->
 		<dependency>
-			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-spring-security-oauth2-resource-server</artifactId>
+			<groupId>com.baomidou</groupId>
+			<artifactId>mybatis-plus-boot-starter</artifactId>
 		</dependency>
 
 		<!-- 业务模块 -->
@@ -73,5 +64,18 @@
 			<groupId>org.ballcat.business</groupId>
 			<artifactId>ballcat-system-controller</artifactId>
 		</dependency>
+
+		<!-- 基于 spring authorization server 的授权服务器 -->
+		<dependency>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-spring-security-oauth2-authorization-server</artifactId>
+			<scope>provided</scope>
+		</dependency>
+		<!-- 基于 spring security 的资源服务器 -->
+		<dependency>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-spring-security-oauth2-resource-server</artifactId>
+			<scope>provided</scope>
+		</dependency>
 	</dependencies>
 </project>
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/DefaultUserInfoCoordinatorImpl.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/DefaultUserInfoCoordinatorImpl.java
similarity index 79%
rename from ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/DefaultUserInfoCoordinatorImpl.java
rename to ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/DefaultUserInfoCoordinatorImpl.java
index 6a626de..b803f94 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/DefaultUserInfoCoordinatorImpl.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/DefaultUserInfoCoordinatorImpl.java
@@ -1,5 +1,6 @@
-package org.ballcat.business.system.authentication;
+package org.ballcat.admin.springsecurity;
 
+import org.ballcat.admin.springsecurity.UserInfoCoordinator;
 import org.ballcat.business.system.model.dto.UserInfoDTO;
 
 import java.util.Map;
diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SpringSecurityPasswordHelper.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SpringSecurityPasswordHelper.java
new file mode 100644
index 0000000..9c3309b
--- /dev/null
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SpringSecurityPasswordHelper.java
@@ -0,0 +1,29 @@
+package org.ballcat.admin.springsecurity;
+
+import org.ballcat.business.system.component.AbstractPasswordHelper;
+import org.ballcat.business.system.properties.SystemProperties;
+import org.ballcat.security.properties.SecurityProperties;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+/**
+ * 基于 SpringSecurity 的密码工具类
+ *
+ * @author Hccake
+ * @since 2.0.0
+ */
+public class SpringSecurityPasswordHelper extends AbstractPasswordHelper {
+
+	private final PasswordEncoder passwordEncoder;
+
+	public SpringSecurityPasswordHelper(SecurityProperties securityProperties, SystemProperties systemProperties,
+			PasswordEncoder passwordEncoder) {
+		super(securityProperties, systemProperties);
+		this.passwordEncoder = passwordEncoder;
+	}
+
+	@Override
+	public String encode(String rawPassword) {
+		return passwordEncoder.encode(rawPassword);
+	}
+
+}
diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SpringSecurityPrincipalAttributeAccessor.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SpringSecurityPrincipalAttributeAccessor.java
new file mode 100644
index 0000000..462df50
--- /dev/null
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SpringSecurityPrincipalAttributeAccessor.java
@@ -0,0 +1,57 @@
+package org.ballcat.admin.springsecurity;
+
+import org.ballcat.security.core.PrincipalAttributeAccessor;
+import org.ballcat.springsecurity.oauth2.userdetails.User;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+public class SpringSecurityPrincipalAttributeAccessor implements PrincipalAttributeAccessor {
+
+	@Override
+	@SuppressWarnings("unchecked")
+	public <A> A getAttribute(String name) {
+		User user = getUser();
+		if (user != null) {
+			return (A) user.getAttributes().get(name);
+		}
+		return null;
+	}
+
+	@Override
+	@SuppressWarnings("unchecked")
+	public Long getUserId() {
+		User user = getUser();
+		if (user != null) {
+			return user.getUserId();
+		}
+		return null;
+	}
+
+	@Override
+	public String getName() {
+		User user = getUser();
+		if (user != null) {
+			return user.getUsername();
+		}
+		return null;
+	}
+
+	private static Authentication getAuthentication() {
+		return SecurityContextHolder.getContext().getAuthentication();
+	}
+
+	private static User getUser() {
+		Authentication authentication = getAuthentication();
+		if (authentication == null) {
+			return null;
+		}
+		Object principal = authentication.getPrincipal();
+		if (principal instanceof User) {
+			return (User) principal;
+		}
+		else {
+			return null;
+		}
+	}
+
+}
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/SysUserDetailsServiceImpl.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SysUserDetailsServiceImpl.java
similarity index 98%
rename from ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/SysUserDetailsServiceImpl.java
rename to ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SysUserDetailsServiceImpl.java
index 25879c4..c3dcd32 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/SysUserDetailsServiceImpl.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/SysUserDetailsServiceImpl.java
@@ -1,4 +1,4 @@
-package org.ballcat.business.system.authentication;
+package org.ballcat.admin.springsecurity;
 
 import org.ballcat.springsecurity.oauth2.constant.UserAttributeNameConstants;
 import org.ballcat.springsecurity.oauth2.userdetails.User;
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/UserInfoCoordinator.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/UserInfoCoordinator.java
similarity index 92%
rename from ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/UserInfoCoordinator.java
rename to ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/UserInfoCoordinator.java
index 317c793..16c85bb 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/UserInfoCoordinator.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/UserInfoCoordinator.java
@@ -1,4 +1,4 @@
-package org.ballcat.business.system.authentication;
+package org.ballcat.admin.springsecurity;
 
 import org.ballcat.business.system.model.dto.UserInfoDTO;
 
diff --git a/ballcat-business-notify/ballcat-notify-biz/src/main/java/org/ballcat/business/notify/listener/AnnouncementLoginEventListener.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/login/AnnouncementLoginEventListener.java
similarity index 94%
rename from ballcat-business-notify/ballcat-notify-biz/src/main/java/org/ballcat/business/notify/listener/AnnouncementLoginEventListener.java
rename to ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/login/AnnouncementLoginEventListener.java
index 27933ed..18cefa3 100644
--- a/ballcat-business-notify/ballcat-notify-biz/src/main/java/org/ballcat/business/notify/listener/AnnouncementLoginEventListener.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/login/AnnouncementLoginEventListener.java
@@ -1,4 +1,4 @@
-package org.ballcat.business.notify.listener;
+package org.ballcat.admin.springsecurity.login;
 
 import org.ballcat.business.notify.enums.NotifyChannelEnum;
 import org.ballcat.business.notify.model.entity.Announcement;
@@ -13,7 +13,6 @@
 import org.springframework.context.event.EventListener;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
-import org.springframework.stereotype.Component;
 
 import java.util.HashMap;
 import java.util.List;
@@ -25,7 +24,6 @@
  * @version 1.0
  */
 @Slf4j
-@Component
 @RequiredArgsConstructor
 public class AnnouncementLoginEventListener {
 
@@ -36,11 +34,11 @@ public class AnnouncementLoginEventListener {
 	private final UserAnnouncementService userAnnouncementService;
 
 	/**
-	 * 登录成功时间监听 用户未读公告生成
+	 * 登录成功时监听 用户未读公告生成
 	 * @param event 登录成功 event
 	 */
 	@EventListener(AuthenticationSuccessEvent.class)
-	public void onAuthenticationSuccessEvent(AuthenticationSuccessEvent event) throws InterruptedException {
+	public void onAuthenticationSuccessEvent(AuthenticationSuccessEvent event) {
 
 		AbstractAuthenticationToken source = (AbstractAuthenticationToken) event.getSource();
 		Object details = source.getDetails();
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/BallcatOAuth2TokenResponseEnhancer.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/oauth2/BallcatOAuth2TokenResponseEnhancer.java
similarity index 98%
rename from ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/BallcatOAuth2TokenResponseEnhancer.java
rename to ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/oauth2/BallcatOAuth2TokenResponseEnhancer.java
index 4adbc75..48971ca 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/authentication/BallcatOAuth2TokenResponseEnhancer.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/springsecurity/oauth2/BallcatOAuth2TokenResponseEnhancer.java
@@ -1,4 +1,4 @@
-package org.ballcat.business.system.authentication;
+package org.ballcat.admin.springsecurity.oauth2;
 
 import org.ballcat.springsecurity.oauth2.constant.TokenAttributeNameConstants;
 import org.ballcat.springsecurity.oauth2.constant.UserAttributeNameConstants;
diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/UpmsAutoConfiguration.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/UpmsAutoConfiguration.java
index b533db3..cb9a497 100644
--- a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/UpmsAutoConfiguration.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/UpmsAutoConfiguration.java
@@ -1,12 +1,12 @@
 package org.ballcat.admin.upms;
 
+import org.ballcat.admin.springsecurity.*;
+import org.ballcat.admin.springsecurity.oauth2.BallcatOAuth2TokenResponseEnhancer;
 import org.ballcat.admin.upms.log.LogConfiguration;
-import org.ballcat.business.system.authentication.BallcatOAuth2TokenResponseEnhancer;
-import org.ballcat.business.system.authentication.DefaultUserInfoCoordinatorImpl;
-import org.ballcat.business.system.authentication.SysUserDetailsServiceImpl;
-import org.ballcat.business.system.authentication.UserInfoCoordinator;
+import org.ballcat.business.system.component.PasswordHelper;
 import org.ballcat.business.system.properties.SystemProperties;
 import org.ballcat.business.system.service.SysUserService;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.ballcat.security.properties.SecurityProperties;
 import org.ballcat.springsecurity.oauth2.server.authorization.web.authentication.OAuth2TokenResponseEnhancer;
 import org.ballcat.springsecurity.oauth2.server.resource.introspection.SpringAuthorizationServerSharedStoredOpaqueTokenIntrospector;
@@ -22,6 +22,7 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.scheduling.annotation.EnableAsync;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
@@ -44,7 +45,7 @@ public class UpmsAutoConfiguration {
 	 * @author hccake
 	 */
 	@Configuration(proxyBeanMethods = false)
-	@ConditionalOnClass(SysUserService.class)
+	@ConditionalOnClass({ UserDetailsService.class, SysUserService.class })
 	@ConditionalOnMissingBean(UserDetailsService.class)
 	static class UserDetailsServiceConfiguration {
 
@@ -69,6 +70,19 @@ public UserInfoCoordinator userInfoCoordinator() {
 			return new DefaultUserInfoCoordinatorImpl();
 		}
 
+		@Bean
+		@ConditionalOnMissingBean
+		public PasswordHelper passwordHelper(SecurityProperties securityProperties, SystemProperties systemProperties,
+				PasswordEncoder passwordEncoder) {
+			return new SpringSecurityPasswordHelper(securityProperties, systemProperties, passwordEncoder);
+		}
+
+		@Bean
+		@ConditionalOnMissingBean
+		public PrincipalAttributeAccessor principalAttributeAccessor() {
+			return new SpringSecurityPrincipalAttributeAccessor();
+		}
+
 	}
 
 	/**
diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/FillMetaObjectHandle.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/FillMetaObjectHandle.java
index 27322e0..e66a91b 100644
--- a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/FillMetaObjectHandle.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/FillMetaObjectHandle.java
@@ -1,11 +1,10 @@
 package org.ballcat.admin.upms.config.mybatis;
 
 import com.baomidou.mybatisplus.core.handlers.MetaObjectHandler;
-import org.ballcat.common.core.constant.GlobalConstants;
-import org.ballcat.springsecurity.oauth2.userdetails.User;
-import org.ballcat.springsecurity.util.SecurityUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.ibatis.reflection.MetaObject;
+import org.ballcat.common.core.constant.GlobalConstants;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 
 import java.time.LocalDateTime;
 
@@ -15,6 +14,12 @@
 @Slf4j
 public class FillMetaObjectHandle implements MetaObjectHandler {
 
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
+	public FillMetaObjectHandle(PrincipalAttributeAccessor principalAttributeAccessor) {
+		this.principalAttributeAccessor = principalAttributeAccessor;
+	}
+
 	@Override
 	public void insertFill(MetaObject metaObject) {
 		// 逻辑删除标识
@@ -22,9 +27,9 @@ public void insertFill(MetaObject metaObject) {
 		// 创建时间
 		this.strictInsertFill(metaObject, "createTime", LocalDateTime.class, LocalDateTime.now());
 		// 创建人
-		User user = SecurityUtils.getUser();
-		if (user != null) {
-			this.strictInsertFill(metaObject, "createBy", Long.class, user.getUserId());
+		Long userId = principalAttributeAccessor.getUserId();
+		if (userId != null) {
+			this.strictInsertFill(metaObject, "createBy", Long.class, userId);
 		}
 	}
 
@@ -33,9 +38,9 @@ public void updateFill(MetaObject metaObject) {
 		// 修改时间
 		this.strictUpdateFill(metaObject, "updateTime", LocalDateTime.class, LocalDateTime.now());
 		// 修改人
-		User user = SecurityUtils.getUser();
-		if (user != null) {
-			this.strictUpdateFill(metaObject, "updateBy", Long.class, user.getUserId());
+		Long userId = principalAttributeAccessor.getUserId();
+		if (userId != null) {
+			this.strictUpdateFill(metaObject, "updateBy", Long.class, userId);
 		}
 	}
 
diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/MybatisPlusConfig.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/MybatisPlusConfig.java
index 6f1a2c1..3088315 100644
--- a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/MybatisPlusConfig.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/config/mybatis/MybatisPlusConfig.java
@@ -9,6 +9,7 @@
 import com.baomidou.mybatisplus.extension.plugins.inner.PaginationInnerInterceptor;
 import org.ballcat.mybatisplus.injector.CustomSqlInjector;
 import org.ballcat.mybatisplus.methods.InsertBatchSomeColumnByCollection;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -17,8 +18,9 @@
 import java.util.List;
 
 /**
- * @author hccake
- * @date 2020/04/19 默认配置MybatisPlus分页插件，通过conditional注解达到覆盖效用
+ * 默认配置MybatisPlus分页插件，通过conditional注解达到覆盖效用
+ *
+ * @author hccake 2020/04/19
  */
 @Configuration
 public class MybatisPlusConfig {
@@ -42,8 +44,8 @@ public MybatisPlusInterceptor mybatisPlusInterceptor() {
 	 */
 	@Bean
 	@ConditionalOnMissingBean(MetaObjectHandler.class)
-	public MetaObjectHandler fillMetaObjectHandle() {
-		return new FillMetaObjectHandle();
+	public MetaObjectHandler fillMetaObjectHandle(PrincipalAttributeAccessor principalAttributeAccessor) {
+		return new FillMetaObjectHandle(principalAttributeAccessor);
 	}
 
 	/**
diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/LogConfiguration.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/LogConfiguration.java
index 8ad3d26..4fb9ffc 100644
--- a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/LogConfiguration.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/LogConfiguration.java
@@ -10,6 +10,7 @@
 import org.ballcat.business.log.service.LoginLogService;
 import org.ballcat.business.log.service.OperationLogService;
 import org.ballcat.business.log.thread.AccessLogSaveThread;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -25,6 +26,12 @@
 @ConditionalOnClass(LoginLogService.class)
 public class LogConfiguration {
 
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
+	public LogConfiguration(PrincipalAttributeAccessor principalAttributeAccessor) {
+		this.principalAttributeAccessor = principalAttributeAccessor;
+	}
+
 	/**
 	 * 访问日志保存
 	 * @param accessLogService 访问日志Service
@@ -34,7 +41,7 @@ public class LogConfiguration {
 	@ConditionalOnBean(AccessLogService.class)
 	@ConditionalOnMissingBean(AccessLogHandler.class)
 	public AccessLogHandler<AccessLog> customAccessLogHandler(AccessLogService accessLogService) {
-		return new CustomAccessLogHandler(new AccessLogSaveThread(accessLogService));
+		return new CustomAccessLogHandler(new AccessLogSaveThread(accessLogService), principalAttributeAccessor);
 	}
 
 	/**
@@ -46,7 +53,7 @@ public AccessLogHandler<AccessLog> customAccessLogHandler(AccessLogService acces
 	@ConditionalOnBean(OperationLogService.class)
 	@ConditionalOnMissingBean(OperationLogHandler.class)
 	public OperationLogHandler<OperationLog> customOperationLogHandler(OperationLogService operationLogService) {
-		return new CustomOperationLogHandler(operationLogService);
+		return new CustomOperationLogHandler(operationLogService, principalAttributeAccessor);
 	}
 
 	@ConditionalOnClass(OAuth2AuthorizationServerConfigurer.class)
diff --git a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/SpringAuthorizationServerLoginLogHandler.java b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/SpringAuthorizationServerLoginLogHandler.java
index 51177f0..cfb8fe7 100644
--- a/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/SpringAuthorizationServerLoginLogHandler.java
+++ b/ballcat-admin/ballcat-admin-core/src/main/java/org/ballcat/admin/upms/log/SpringAuthorizationServerLoginLogHandler.java
@@ -2,7 +2,6 @@
 
 import org.ballcat.common.core.util.WebUtils;
 import org.ballcat.log.operation.enums.LogStatusEnum;
-import org.ballcat.springsecurity.util.SecurityUtils;
 import org.ballcat.business.log.enums.LoginEventTypeEnum;
 import org.ballcat.business.log.model.entity.LoginLog;
 import org.ballcat.business.log.service.LoginLogService;
@@ -14,6 +13,7 @@
 import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
 import org.springframework.security.authentication.event.LogoutSuccessEvent;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationGrantAuthenticationToken;
@@ -50,7 +50,7 @@ public void onAuthenticationSuccessEvent(AuthenticationSuccessEvent event) {
 
 		// Oauth2登录 和表单登录 处理分开
 		if (isOauth2LoginRequest && source instanceof OAuth2AccessTokenAuthenticationToken) {
-			username = SecurityUtils.getAuthentication().getName();
+			username = SecurityContextHolder.getContext().getAuthentication().getName();
 		}
 		else if (!isOauth2LoginRequest && source instanceof UsernamePasswordAuthenticationToken) {
 			username = ((UsernamePasswordAuthenticationToken) source).getName();
diff --git a/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/AdminWebSocketAutoConfiguration.java b/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/AdminWebSocketAutoConfiguration.java
index 551f894..b405c32 100644
--- a/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/AdminWebSocketAutoConfiguration.java
+++ b/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/AdminWebSocketAutoConfiguration.java
@@ -2,6 +2,7 @@
 
 import org.ballcat.admin.websocket.component.UserAttributeHandshakeInterceptor;
 import org.ballcat.admin.websocket.component.UserSessionKeyGenerator;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.ballcat.websocket.session.SessionKeyGenerator;
 import lombok.RequiredArgsConstructor;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -21,8 +22,9 @@ public class AdminWebSocketAutoConfiguration {
 
 	@Bean
 	@ConditionalOnMissingBean(UserAttributeHandshakeInterceptor.class)
-	public HandshakeInterceptor authenticationHandshakeInterceptor() {
-		return new UserAttributeHandshakeInterceptor();
+	public HandshakeInterceptor authenticationHandshakeInterceptor(
+			PrincipalAttributeAccessor principalAttributeAccessor) {
+		return new UserAttributeHandshakeInterceptor(principalAttributeAccessor);
 	}
 
 	@Bean
diff --git a/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/component/UserAttributeHandshakeInterceptor.java b/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/component/UserAttributeHandshakeInterceptor.java
index 397b40f..db695cf 100644
--- a/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/component/UserAttributeHandshakeInterceptor.java
+++ b/ballcat-admin/ballcat-admin-websocket/src/main/java/org/ballcat/admin/websocket/component/UserAttributeHandshakeInterceptor.java
@@ -1,9 +1,8 @@
 package org.ballcat.admin.websocket.component;
 
-import org.ballcat.admin.websocket.constant.AdminWebSocketConstants;
-import org.ballcat.springsecurity.oauth2.userdetails.User;
-import org.ballcat.springsecurity.util.SecurityUtils;
 import lombok.RequiredArgsConstructor;
+import org.ballcat.admin.websocket.constant.AdminWebSocketConstants;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.springframework.http.server.ServerHttpRequest;
 import org.springframework.http.server.ServerHttpResponse;
 import org.springframework.http.server.ServletServerHttpRequest;
@@ -21,6 +20,8 @@
 @RequiredArgsConstructor
 public class UserAttributeHandshakeInterceptor implements HandshakeInterceptor {
 
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
 	/**
 	 * Invoked before the handshake is processed.
 	 * @param request the current request
@@ -42,9 +43,9 @@ public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse res
 			accessToken = serverRequest.getServletRequest().getParameter(AdminWebSocketConstants.TOKEN_ATTR_NAME);
 		}
 		// 由于 WebSocket 握手是由 http 升级的，携带 token 已经被 Security 拦截验证了，所以可以直接获取到用户
-		User user = SecurityUtils.getUser();
+		Long userId = principalAttributeAccessor.getUserId();
 		attributes.put(AdminWebSocketConstants.TOKEN_ATTR_NAME, accessToken);
-		attributes.put(AdminWebSocketConstants.USER_KEY_ATTR_NAME, user.getUserId());
+		attributes.put(AdminWebSocketConstants.USER_KEY_ATTR_NAME, userId);
 		return true;
 	}
 
diff --git a/ballcat-admin/pom.xml b/ballcat-admin/pom.xml
index 22a2338..0140eec 100644
--- a/ballcat-admin/pom.xml
+++ b/ballcat-admin/pom.xml
@@ -14,5 +14,5 @@
 		<module>ballcat-admin-core</module>
 		<module>ballcat-admin-i18n</module>
 		<module>ballcat-admin-websocket</module>
-	</modules>
+    </modules>
 </project>
diff --git a/ballcat-business-i18n/ballcat-i18n-controller/pom.xml b/ballcat-business-i18n/ballcat-i18n-controller/pom.xml
index b08e6ae..2577930 100644
--- a/ballcat-business-i18n/ballcat-i18n-controller/pom.xml
+++ b/ballcat-business-i18n/ballcat-i18n-controller/pom.xml
@@ -23,8 +23,8 @@
 			<artifactId>ballcat-spring-boot-starter-easyexcel</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-core</artifactId>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-security-core</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework</groupId>
diff --git a/ballcat-business-i18n/ballcat-i18n-controller/src/main/java/org/ballcat/business/i18n/controller/I18nDataController.java b/ballcat-business-i18n/ballcat-i18n-controller/src/main/java/org/ballcat/business/i18n/controller/I18nDataController.java
index a201ee3..a5422f2 100644
--- a/ballcat-business-i18n/ballcat-i18n-controller/src/main/java/org/ballcat/business/i18n/controller/I18nDataController.java
+++ b/ballcat-business-i18n/ballcat-i18n-controller/src/main/java/org/ballcat/business/i18n/controller/I18nDataController.java
@@ -21,7 +21,7 @@
 import org.ballcat.log.operation.annotation.CreateOperationLogging;
 import org.ballcat.log.operation.annotation.DeleteOperationLogging;
 import org.ballcat.log.operation.annotation.UpdateOperationLogging;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.util.CollectionUtils;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
@@ -52,7 +52,7 @@ public class I18nDataController {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:read')")
+	@Authorize("hasPermission('i18n:i18n-data:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<I18nDataPageVO>> getI18nDataPage(@Validated PageParam pageParam, I18nDataQO i18nDataQO) {
 		return R.ok(i18nDataService.queryPage(pageParam, i18nDataQO));
@@ -64,7 +64,7 @@ public R<PageResult<I18nDataPageVO>> getI18nDataPage(@Validated PageParam pagePa
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/list")
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:read')")
+	@Authorize("hasPermission('i18n:i18n-data:read')")
 	@Operation(summary = "查询指定国际化标识的所有数据", description = "查询指定国际化标识的所有数据")
 	public R<List<I18nData>> listByCode(@RequestParam("code") String code) {
 		return R.ok(i18nDataService.listByCode(code));
@@ -77,7 +77,7 @@ public R<List<I18nData>> listByCode(@RequestParam("code") String code) {
 	 */
 	@CreateOperationLogging(msg = "新增国际化信息")
 	@PostMapping
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:add')")
+	@Authorize("hasPermission('i18n:i18n-data:add')")
 	@Operation(summary = "新增国际化信息", description = "新增国际化信息")
 	public R<Void> save(@Valid @RequestBody I18nDataCreateDTO i18nDataCreateDTO) {
 		// 转换为实体类列表
@@ -101,7 +101,7 @@ public R<Void> save(@Valid @RequestBody I18nDataCreateDTO i18nDataCreateDTO) {
 	 */
 	@UpdateOperationLogging(msg = "修改国际化信息")
 	@PutMapping
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:edit')")
+	@Authorize("hasPermission('i18n:i18n-data:edit')")
 	@Operation(summary = "修改国际化信息", description = "修改国际化信息")
 	public R<Void> updateById(@RequestBody I18nDataDTO i18nDataDTO) {
 		return i18nDataService.updateByCodeAndLanguageTag(i18nDataDTO) ? R.ok()
@@ -116,7 +116,7 @@ public R<Void> updateById(@RequestBody I18nDataDTO i18nDataDTO) {
 	 */
 	@DeleteOperationLogging(msg = "通过id删除国际化信息")
 	@DeleteMapping
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:del')")
+	@Authorize("hasPermission('i18n:i18n-data:del')")
 	@Operation(summary = "通过id删除国际化信息", description = "通过id删除国际化信息")
 	public R<Void> removeById(@RequestParam("code") String code, @RequestParam("languageTag") String languageTag) {
 		return i18nDataService.removeByCodeAndLanguageTag(code, languageTag) ? R.ok()
@@ -128,7 +128,7 @@ public R<Void> removeById(@RequestParam("code") String code, @RequestParam("lang
 	 * @return R 通用返回体
 	 */
 	@PostMapping("/import")
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:import')")
+	@Authorize("hasPermission('i18n:i18n-data:import')")
 	@Operation(summary = "导入国际化信息", description = "导入国际化信息")
 	public R<List<I18nData>> importI18nData(@RequestExcel List<I18nDataExcelVO> excelVos,
 			@RequestParam("importMode") ImportModeEnum importModeEnum) {
@@ -163,7 +163,7 @@ public R<List<I18nData>> importI18nData(@RequestExcel List<I18nDataExcelVO> exce
 	 */
 	@ResponseExcel(name = "国际化信息", i18nHeader = true)
 	@GetMapping("/export")
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:export')")
+	@Authorize("hasPermission('i18n:i18n-data:export')")
 	@Operation(summary = "导出国际化信息", description = "导出国际化信息")
 	public List<I18nDataExcelVO> exportI18nData(I18nDataQO i18nDataQO) {
 		List<I18nData> list = i18nDataService.queryList(i18nDataQO);
@@ -180,7 +180,7 @@ public List<I18nDataExcelVO> exportI18nData(I18nDataQO i18nDataQO) {
 	 */
 	@ResponseExcel(name = "国际化信息模板", i18nHeader = true)
 	@GetMapping("/excel-template")
-	@PreAuthorize("@per.hasPermission('i18n:i18n-data:import')")
+	@Authorize("hasPermission('i18n:i18n-data:import')")
 	@Operation(summary = "国际化信息 Excel 模板", description = "国际化信息 Excel 模板")
 	public List<I18nDataExcelVO> excelTemplate() {
 		List<I18nDataExcelVO> list = new ArrayList<>();
diff --git a/ballcat-business-infra/ballcat-infra-biz/pom.xml b/ballcat-business-infra/ballcat-infra-biz/pom.xml
index d5134f7..9057230 100644
--- a/ballcat-business-infra/ballcat-infra-biz/pom.xml
+++ b/ballcat-business-infra/ballcat-infra-biz/pom.xml
@@ -37,10 +37,5 @@
             <artifactId>spring-boot-configuration-processor</artifactId>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>org.ballcat</groupId>
-            <artifactId>ballcat-spring-security-oauth2-authorization-server</artifactId>
-            <optional>true</optional>
-        </dependency>
     </dependencies>
 </project>
\ No newline at end of file
diff --git a/ballcat-business-infra/ballcat-infra-controller/pom.xml b/ballcat-business-infra/ballcat-infra-controller/pom.xml
index dfd5232..0309467 100644
--- a/ballcat-business-infra/ballcat-infra-controller/pom.xml
+++ b/ballcat-business-infra/ballcat-infra-controller/pom.xml
@@ -21,8 +21,8 @@
             <artifactId>ballcat-log</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-core</artifactId>
+            <groupId>org.ballcat</groupId>
+            <artifactId>ballcat-security-core</artifactId>
         </dependency>
     </dependencies>
 </project>
\ No newline at end of file
diff --git a/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysConfigController.java b/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysConfigController.java
index debe330..82def7a 100644
--- a/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysConfigController.java
+++ b/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysConfigController.java
@@ -13,7 +13,7 @@
 import org.ballcat.log.operation.annotation.CreateOperationLogging;
 import org.ballcat.log.operation.annotation.DeleteOperationLogging;
 import org.ballcat.log.operation.annotation.UpdateOperationLogging;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -37,7 +37,7 @@ public class SysConfigController {
 	 * @return R<PageResult<SysConfigVO>>
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('system:config:read')")
+	@Authorize("hasPermission('system:config:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<SysConfigPageVO>> getSysConfigPage(@Validated PageParam pageParam, SysConfigQO sysConfigQO) {
 		return R.ok(sysConfigService.queryPage(pageParam, sysConfigQO));
@@ -50,7 +50,7 @@ public R<PageResult<SysConfigPageVO>> getSysConfigPage(@Validated PageParam page
 	 */
 	@CreateOperationLogging(msg = "新增系统配置")
 	@PostMapping
-	@PreAuthorize("@per.hasPermission('system:config:add')")
+	@Authorize("hasPermission('system:config:add')")
 	@Operation(summary = "新增系统配置", description = "新增系统配置")
 	public R<Boolean> save(@RequestBody SysConfig sysConfig) {
 		return R.ok(sysConfigService.save(sysConfig));
@@ -63,7 +63,7 @@ public R<Boolean> save(@RequestBody SysConfig sysConfig) {
 	 */
 	@UpdateOperationLogging(msg = "修改系统配置")
 	@PutMapping
-	@PreAuthorize("@per.hasPermission('system:config:edit')")
+	@Authorize("hasPermission('system:config:edit')")
 	@Operation(summary = "修改系统配置")
 	public R<Boolean> updateById(@RequestBody SysConfig sysConfig) {
 		return R.ok(sysConfigService.updateByKey(sysConfig));
@@ -76,7 +76,7 @@ public R<Boolean> updateById(@RequestBody SysConfig sysConfig) {
 	 */
 	@DeleteOperationLogging(msg = "删除系统配置")
 	@DeleteMapping
-	@PreAuthorize("@per.hasPermission('system:config:del')")
+	@Authorize("hasPermission('system:config:del')")
 	@Operation(summary = "删除系统配置")
 	public R<Boolean> removeById(@RequestParam("confKey") String confKey) {
 		return R.ok(sysConfigService.removeByKey(confKey));
diff --git a/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysDictController.java b/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysDictController.java
index 80234bd..2c08c48 100644
--- a/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysDictController.java
+++ b/ballcat-business-infra/ballcat-infra-controller/src/main/java/org/ballcat/business/infra/controller/SysDictController.java
@@ -19,7 +19,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -77,7 +77,7 @@ public R<List<String>> invalidDictHash(@RequestBody Map<String, String> dictHash
 	 * @return R<PageResult<SysDictVO>>
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('system:dict:read')")
+	@Authorize("hasPermission('system:dict:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<SysDictPageVO>> getSysDictPage(@Validated PageParam pageParam, SysDictQO sysDictQO) {
 		return R.ok(sysDictManager.dictPage(pageParam, sysDictQO));
@@ -90,7 +90,7 @@ public R<PageResult<SysDictPageVO>> getSysDictPage(@Validated PageParam pagePara
 	 */
 	@CreateOperationLogging(msg = "新增字典表")
 	@PostMapping
-	@PreAuthorize("@per.hasPermission('system:dict:add')")
+	@Authorize("hasPermission('system:dict:add')")
 	@Operation(summary = "新增字典表", description = "新增字典表")
 	public R<Void> save(@RequestBody SysDict sysDict) {
 		return sysDictManager.dictSave(sysDict) ? R.ok() : R.failed(BaseResultCode.UPDATE_DATABASE_ERROR, "新增字典表失败");
@@ -103,7 +103,7 @@ public R<Void> save(@RequestBody SysDict sysDict) {
 	 */
 	@UpdateOperationLogging(msg = "修改字典表")
 	@PutMapping
-	@PreAuthorize("@per.hasPermission('system:dict:edit')")
+	@Authorize("hasPermission('system:dict:edit')")
 	@Operation(summary = "修改字典表", description = "修改字典表")
 	public R<Void> updateById(@RequestBody SysDict sysDict) {
 		return sysDictManager.updateDictById(sysDict) ? R.ok()
@@ -117,7 +117,7 @@ public R<Void> updateById(@RequestBody SysDict sysDict) {
 	 */
 	@DeleteOperationLogging(msg = "通过id删除字典表")
 	@DeleteMapping("/{id}")
-	@PreAuthorize("@per.hasPermission('system:dict:del')")
+	@Authorize("hasPermission('system:dict:del')")
 	@Operation(summary = "通过id删除字典表", description = "通过id删除字典表")
 	public R<Void> removeById(@PathVariable("id") Long id) {
 		sysDictManager.removeDictById(id);
@@ -131,7 +131,7 @@ public R<Void> removeById(@PathVariable("id") Long id) {
 	 * @return R
 	 */
 	@GetMapping("/item/page")
-	@PreAuthorize("@per.hasPermission('system:dict:read')")
+	@Authorize("hasPermission('system:dict:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<SysDictItemPageVO>> getSysDictItemPage(PageParam pageParam,
 			@RequestParam("dictCode") String dictCode) {
@@ -145,7 +145,7 @@ public R<PageResult<SysDictItemPageVO>> getSysDictItemPage(PageParam pageParam,
 	 */
 	@CreateOperationLogging(msg = "新增字典项")
 	@PostMapping("item")
-	@PreAuthorize("@per.hasPermission('system:dict:add')")
+	@Authorize("hasPermission('system:dict:add')")
 	@Operation(summary = "新增字典项", description = "新增字典项")
 	public R<Void> saveItem(
 			@Validated({ Default.class, CreateGroup.class }) @RequestBody SysDictItemDTO sysDictItemDTO) {
@@ -160,7 +160,7 @@ public R<Void> saveItem(
 	 */
 	@UpdateOperationLogging(msg = "修改字典项")
 	@PutMapping("item")
-	@PreAuthorize("@per.hasPermission('system:dict:edit')")
+	@Authorize("hasPermission('system:dict:edit')")
 	@Operation(summary = "修改字典项", description = "修改字典项")
 	public R<Void> updateItemById(
 			@Validated({ Default.class, UpdateGroup.class }) @RequestBody SysDictItemDTO sysDictItemDTO) {
@@ -175,7 +175,7 @@ public R<Void> updateItemById(
 	 */
 	@DeleteOperationLogging(msg = "通过id删除字典项")
 	@DeleteMapping("/item/{id}")
-	@PreAuthorize("@per.hasPermission('system:dict:del')")
+	@Authorize("hasPermission('system:dict:del')")
 	@Operation(summary = "通过id删除字典项", description = "通过id删除字典项")
 	public R<Void> removeItemById(@PathVariable("id") Long id) {
 		return sysDictManager.removeDictItemById(id) ? R.ok()
@@ -189,7 +189,7 @@ public R<Void> removeItemById(@PathVariable("id") Long id) {
 	 */
 	@UpdateOperationLogging(msg = "通过id修改字典项状态")
 	@PatchMapping("/item/{id}")
-	@PreAuthorize("@per.hasPermission('system:dict:edit')")
+	@Authorize("hasPermission('system:dict:edit')")
 	@Operation(summary = "通过id修改字典项状态", description = "通过id修改字典项状态")
 	public R<Void> updateDictItemStatusById(@PathVariable("id") Long id, @RequestParam("status") Integer status) {
 		sysDictManager.updateDictItemStatusById(id, status);
diff --git a/ballcat-business-log/ballcat-log-biz/pom.xml b/ballcat-business-log/ballcat-log-biz/pom.xml
index ad656da..628e663 100644
--- a/ballcat-business-log/ballcat-log-biz/pom.xml
+++ b/ballcat-business-log/ballcat-log-biz/pom.xml
@@ -33,7 +33,7 @@
 		</dependency>
 		<dependency>
 			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-spring-security-oauth2-core</artifactId>
+			<artifactId>ballcat-security-core</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>jakarta.servlet</groupId>
diff --git a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomAccessLogHandler.java b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomAccessLogHandler.java
index ada376e..45c6cc8 100644
--- a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomAccessLogHandler.java
+++ b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomAccessLogHandler.java
@@ -10,7 +10,7 @@
 import org.ballcat.desensitize.enums.RegexDesensitizationTypeEnum;
 import org.ballcat.log.access.handler.AccessLogHandler;
 import org.ballcat.log.util.LogUtils;
-import org.ballcat.springsecurity.util.SecurityUtils;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.slf4j.MDC;
 import org.springframework.web.servlet.HandlerMapping;
 
@@ -35,11 +35,15 @@ public class CustomAccessLogHandler implements AccessLogHandler<AccessLog> {
 
 	private final AccessLogSaveThread accessLogSaveThread;
 
-	public CustomAccessLogHandler(AccessLogSaveThread accessLogSaveThread) {
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
+	public CustomAccessLogHandler(AccessLogSaveThread accessLogSaveThread,
+			PrincipalAttributeAccessor principalAttributeAccessor) {
 		if (!accessLogSaveThread.isAlive()) {
 			accessLogSaveThread.start();
 		}
 		this.accessLogSaveThread = accessLogSaveThread;
+		this.principalAttributeAccessor = principalAttributeAccessor;
 	}
 
 	/**
@@ -90,10 +94,8 @@ public AccessLog buildLog(HttpServletRequest request, HttpServletResponse respon
 		}
 
 		// 如果登录用户 则记录用户名和用户id
-		Optional.ofNullable(SecurityUtils.getUser()).ifPresent(x -> {
-			accessLog.setUserId(x.getUserId());
-			accessLog.setUsername(x.getUsername());
-		});
+		accessLog.setUserId(principalAttributeAccessor.getUserId());
+		accessLog.setUsername(principalAttributeAccessor.getName());
 
 		return accessLog;
 	}
diff --git a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomOperationLogHandler.java b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomOperationLogHandler.java
index c20760b..658ed03 100644
--- a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomOperationLogHandler.java
+++ b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/handler/CustomOperationLogHandler.java
@@ -11,7 +11,7 @@
 import org.ballcat.log.operation.annotation.OperationLogging;
 import org.ballcat.log.operation.enums.LogStatusEnum;
 import org.ballcat.log.operation.handler.AbstractOperationLogHandler;
-import org.ballcat.springsecurity.util.SecurityUtils;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.slf4j.MDC;
 import org.springframework.http.HttpHeaders;
 
@@ -27,6 +27,8 @@ public class CustomOperationLogHandler extends AbstractOperationLogHandler<Opera
 
 	private final OperationLogService operationLogService;
 
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
 	@Override
 	public OperationLog buildLog(OperationLogging operationLogging, ProceedingJoinPoint joinPoint) {
 		// 获取 Request
@@ -50,7 +52,7 @@ public OperationLog buildLog(OperationLogging operationLogging, ProceedingJoinPo
 		}
 
 		// 操作用户
-		Optional.ofNullable(SecurityUtils.getUser()).ifPresent(x -> operationLog.setOperator(x.getUsername()));
+		operationLog.setOperator(principalAttributeAccessor.getName());
 
 		return operationLog;
 	}
diff --git a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/service/AccessLogService.java b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/service/AccessLogService.java
index a60c01b..869e7e0 100644
--- a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/service/AccessLogService.java
+++ b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/service/AccessLogService.java
@@ -10,8 +10,7 @@
 /**
  * 后台访问日志
  *
- * @author hccake
- * @date 2019-10-16 16:09:25
+ * @author hccake 2019-10-16 16:09:25
  */
 public interface AccessLogService extends ExtendService<AccessLog> {
 
diff --git a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/thread/AccessLogSaveThread.java b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/thread/AccessLogSaveThread.java
index c26b6f3..d994ab1 100644
--- a/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/thread/AccessLogSaveThread.java
+++ b/ballcat-business-log/ballcat-log-biz/src/main/java/org/ballcat/business/log/thread/AccessLogSaveThread.java
@@ -9,9 +9,7 @@
 import java.util.List;
 
 /**
- * @author Hccake
- * @version 1.0
- * @date 2019/10/16 15:30
+ * @author Hccake 2019/10/16 15:30
  */
 @Slf4j
 @RequiredArgsConstructor
diff --git a/ballcat-business-log/ballcat-log-controller/pom.xml b/ballcat-business-log/ballcat-log-controller/pom.xml
index ef740bc..81db03a 100644
--- a/ballcat-business-log/ballcat-log-controller/pom.xml
+++ b/ballcat-business-log/ballcat-log-controller/pom.xml
@@ -14,6 +14,10 @@
 			<groupId>org.ballcat</groupId>
 			<artifactId>ballcat-common-model</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-security-core</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.ballcat.business</groupId>
 			<artifactId>ballcat-log-biz</artifactId>
diff --git a/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/AccessLogController.java b/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/AccessLogController.java
index 01a22ca..c93f484 100644
--- a/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/AccessLogController.java
+++ b/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/AccessLogController.java
@@ -9,7 +9,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -18,8 +18,7 @@
 /**
  * 访问日志
  *
- * @author hccake
- * @date 2019-10-16 16:09:25
+ * @author hccake 2019-10-16 16:09:25
  */
 @RestController
 @RequiredArgsConstructor
@@ -36,7 +35,7 @@ public class AccessLogController {
 	 * @return R
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('log:access-log:read')")
+	@Authorize("hasPermission('log:access-log:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<AccessLogPageVO>> getAccessLogApiPage(@Validated PageParam pageParam, AccessLogQO accessLogQO) {
 		return R.ok(accessLogService.queryPage(pageParam, accessLogQO));
diff --git a/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/LoginLogController.java b/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/LoginLogController.java
index dc224ba..86690b7 100644
--- a/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/LoginLogController.java
+++ b/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/LoginLogController.java
@@ -9,7 +9,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -35,7 +35,7 @@ public class LoginLogController {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('log:login-log:read')")
+	@Authorize("hasPermission('log:login-log:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<LoginLogPageVO>> getLoginLogPage(@Validated PageParam pageParam, LoginLogQO loginLogQO) {
 		return R.ok(loginLogService.queryPage(pageParam, loginLogQO));
diff --git a/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/OperationLogController.java b/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/OperationLogController.java
index f8555d7..7497162 100644
--- a/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/OperationLogController.java
+++ b/ballcat-business-log/ballcat-log-controller/src/main/java/org/ballcat/business/log/controller/OperationLogController.java
@@ -9,7 +9,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -18,8 +18,7 @@
 /**
  * 操作日志
  *
- * @author hccake
- * @date 2019-10-15 20:42:32
+ * @author hccake 2019-10-15 20:42:32
  */
 @RestController
 @RequiredArgsConstructor
@@ -36,7 +35,7 @@ public class OperationLogController {
 	 * @return R
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('log:operation-log:read')")
+	@Authorize("hasPermission('log:operation-log:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<OperationLogPageVO>> getOperationLogAdminPage(@Validated PageParam pageParam,
 			OperationLogQO operationLogQO) {
diff --git a/ballcat-business-notify/ballcat-notify-controller/pom.xml b/ballcat-business-notify/ballcat-notify-controller/pom.xml
index b227271..c2cbdc2 100644
--- a/ballcat-business-notify/ballcat-notify-controller/pom.xml
+++ b/ballcat-business-notify/ballcat-notify-controller/pom.xml
@@ -10,13 +10,17 @@
 	<artifactId>ballcat-notify-controller</artifactId>
 
 	<dependencies>
+		<dependency>
+			<groupId>org.ballcat.business</groupId>
+			<artifactId>ballcat-notify-biz</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.ballcat</groupId>
 			<artifactId>ballcat-log</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>org.ballcat.business</groupId>
-			<artifactId>ballcat-notify-biz</artifactId>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-security-core</artifactId>
 		</dependency>
 	</dependencies>
 </project>
diff --git a/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/AnnouncementController.java b/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/AnnouncementController.java
index a81fb67..8b6d006 100644
--- a/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/AnnouncementController.java
+++ b/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/AnnouncementController.java
@@ -7,7 +7,7 @@
 import org.ballcat.common.model.domain.PageResult;
 import org.ballcat.common.model.result.BaseResultCode;
 import org.ballcat.common.model.result.R;
-import org.ballcat.springsecurity.util.SecurityUtils;
+import org.ballcat.security.annotation.Authorize;
 import org.ballcat.business.notify.model.dto.AnnouncementDTO;
 import org.ballcat.business.notify.model.entity.Announcement;
 import org.ballcat.business.notify.model.qo.AnnouncementQO;
@@ -16,7 +16,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -46,6 +46,8 @@ public class AnnouncementController {
 
 	private final AnnouncementService announcementService;
 
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
 	/**
 	 * 分页查询
 	 * @param pageParam 分页对象
@@ -53,7 +55,7 @@ public class AnnouncementController {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('notify:announcement:read')")
+	@Authorize("hasPermission('notify:announcement:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<AnnouncementPageVO>> getAnnouncementPage(@Validated PageParam pageParam,
 			AnnouncementQO announcementQO) {
@@ -67,7 +69,7 @@ public R<PageResult<AnnouncementPageVO>> getAnnouncementPage(@Validated PagePara
 	 */
 	@CreateOperationLogging(msg = "新增公告信息")
 	@PostMapping
-	@PreAuthorize("@per.hasPermission('notify:announcement:add')")
+	@Authorize("hasPermission('notify:announcement:add')")
 	@Operation(summary = "新增公告信息", description = "新增公告信息")
 	public R<Void> save(@Valid @RequestBody AnnouncementDTO announcementDTO) {
 		return announcementService.addAnnouncement(announcementDTO) ? R.ok()
@@ -81,7 +83,7 @@ public R<Void> save(@Valid @RequestBody AnnouncementDTO announcementDTO) {
 	 */
 	@UpdateOperationLogging(msg = "修改公告信息")
 	@PutMapping
-	@PreAuthorize("@per.hasPermission('notify:announcement:edit')")
+	@Authorize("hasPermission('notify:announcement:edit')")
 	@Operation(summary = "修改公告信息", description = "修改公告信息")
 	public R<Void> updateById(@Valid @RequestBody AnnouncementDTO announcementDTO) {
 		return announcementService.updateAnnouncement(announcementDTO) ? R.ok()
@@ -95,7 +97,7 @@ public R<Void> updateById(@Valid @RequestBody AnnouncementDTO announcementDTO) {
 	 */
 	@DeleteOperationLogging(msg = "通过id删除公告信息")
 	@DeleteMapping("/{id}")
-	@PreAuthorize("@per.hasPermission('notify:announcement:del')")
+	@Authorize("hasPermission('notify:announcement:del')")
 	@Operation(summary = "通过id删除公告信息", description = "通过id删除公告信息")
 	public R<Void> removeById(@PathVariable("id") Long id) {
 		return announcementService.removeById(id) ? R.ok()
@@ -108,7 +110,7 @@ public R<Void> removeById(@PathVariable("id") Long id) {
 	 */
 	@UpdateOperationLogging(msg = "发布公告信息")
 	@PatchMapping("/publish/{announcementId}")
-	@PreAuthorize("@per.hasPermission('notify:announcement:edit')")
+	@Authorize("hasPermission('notify:announcement:edit')")
 	@Operation(summary = "发布公告信息", description = "发布公告信息")
 	public R<Void> enableAnnouncement(@PathVariable("announcementId") Long announcementId) {
 		return announcementService.publish(announcementId) ? R.ok()
@@ -121,7 +123,7 @@ public R<Void> enableAnnouncement(@PathVariable("announcementId") Long announcem
 	 */
 	@UpdateOperationLogging(msg = "关闭公告信息")
 	@PatchMapping("/close/{announcementId}")
-	@PreAuthorize("@per.hasPermission('notify:announcement:edit')")
+	@Authorize("hasPermission('notify:announcement:edit')")
 	@Operation(summary = "关闭公告信息", description = "关闭公告信息")
 	public R<Void> disableAnnouncement(@PathVariable("announcementId") Long announcementId) {
 		return announcementService.close(announcementId) ? R.ok()
@@ -129,7 +131,7 @@ public R<Void> disableAnnouncement(@PathVariable("announcementId") Long announce
 	}
 
 	@UpdateOperationLogging(msg = "公告内容图片上传", recordParams = false)
-	@PreAuthorize("@per.hasPermission('notify:announcement:edit')")
+	@Authorize("hasPermission('notify:announcement:edit')")
 	@PostMapping("/image")
 	@Operation(summary = "公告内容图片上传", description = "公告内容图片上传")
 	public R<List<String>> uploadImages(@RequestParam("files") List<MultipartFile> files) {
@@ -138,10 +140,10 @@ public R<List<String>> uploadImages(@RequestParam("files") List<MultipartFile> f
 	}
 
 	@GetMapping("/user")
-	@PreAuthorize("@per.hasPermission('notify:userannouncement:read')")
+	@Authorize("hasPermission('notify:userannouncement:read')")
 	@Operation(summary = "用户公告信息", description = "用户公告信息")
 	public R<List<Announcement>> getUserAnnouncements() {
-		Long userId = SecurityUtils.getUser().getUserId();
+		Long userId = principalAttributeAccessor.getUserId();
 		return R.ok(announcementService.listActiveAnnouncements(userId));
 	}
 
diff --git a/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/UserAnnouncementController.java b/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/UserAnnouncementController.java
index 139a312..721e171 100644
--- a/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/UserAnnouncementController.java
+++ b/ballcat-business-notify/ballcat-notify-controller/src/main/java/org/ballcat/business/notify/controller/UserAnnouncementController.java
@@ -3,14 +3,14 @@
 import org.ballcat.common.model.domain.PageParam;
 import org.ballcat.common.model.domain.PageResult;
 import org.ballcat.common.model.result.R;
-import org.ballcat.springsecurity.util.SecurityUtils;
+import org.ballcat.security.annotation.Authorize;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.ballcat.business.notify.model.qo.UserAnnouncementQO;
 import org.ballcat.business.notify.model.vo.UserAnnouncementPageVO;
 import org.ballcat.business.notify.service.UserAnnouncementService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PatchMapping;
@@ -31,6 +31,8 @@ public class UserAnnouncementController {
 
 	private final UserAnnouncementService userAnnouncementService;
 
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
 	/**
 	 * 分页查询
 	 * @param pageParam 分页参数
@@ -38,7 +40,7 @@ public class UserAnnouncementController {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('notify:userannouncement:read')")
+	@Authorize("hasPermission('notify:userannouncement:read')")
 	@Operation(summary = "分页查询", description = "分页查询")
 	public R<PageResult<UserAnnouncementPageVO>> getUserAnnouncementPage(@Validated PageParam pageParam,
 			UserAnnouncementQO userAnnouncementQO) {
@@ -46,10 +48,10 @@ public R<PageResult<UserAnnouncementPageVO>> getUserAnnouncementPage(@Validated
 	}
 
 	@PatchMapping("/read/{announcementId}")
-	@PreAuthorize("@per.hasPermission('notify:userannouncement:read')")
+	@Authorize("hasPermission('notify:userannouncement:read')")
 	@Operation(summary = "用户公告已读上报", description = "用户公告已读上报")
 	public R<Void> readAnnouncement(@PathVariable("announcementId") Long announcementId) {
-		Long userId = SecurityUtils.getUser().getUserId();
+		Long userId = principalAttributeAccessor.getUserId();
 		userAnnouncementService.readAnnouncement(userId, announcementId);
 		return R.ok();
 	}
diff --git a/ballcat-business-system/ballcat-system-biz/pom.xml b/ballcat-business-system/ballcat-system-biz/pom.xml
index f89ed40..1695460 100644
--- a/ballcat-business-system/ballcat-system-biz/pom.xml
+++ b/ballcat-business-system/ballcat-system-biz/pom.xml
@@ -20,29 +20,24 @@
 		</dependency>
 		<dependency>
 			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-redis</artifactId>
+			<artifactId>ballcat-common-util</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-mybatis-plus</artifactId>
+			<artifactId>ballcat-redis</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-security-core</artifactId>
+			<artifactId>ballcat-mybatis-plus</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-spring-security-oauth2-core</artifactId>
+			<artifactId>ballcat-security-core</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-configuration-processor</artifactId>
 			<optional>true</optional>
 		</dependency>
-        <dependency>
-            <groupId>org.ballcat</groupId>
-            <artifactId>ballcat-spring-security-oauth2-authorization-server</artifactId>
-			<optional>true</optional>
-        </dependency>
     </dependencies>
 </project>
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/checker/AdminUserCheckerImpl.java b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/checker/AdminUserCheckerImpl.java
index 7509938..23d81ee 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/checker/AdminUserCheckerImpl.java
+++ b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/checker/AdminUserCheckerImpl.java
@@ -3,7 +3,7 @@
 import lombok.RequiredArgsConstructor;
 import org.ballcat.business.system.model.entity.SysUser;
 import org.ballcat.business.system.properties.SystemProperties;
-import org.ballcat.springsecurity.util.SecurityUtils;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.springframework.stereotype.Service;
 import org.springframework.util.StringUtils;
 
@@ -18,6 +18,8 @@ public class AdminUserCheckerImpl implements AdminUserChecker {
 
 	private final SystemProperties systemProperties;
 
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
 	@Override
 	public boolean isAdminUser(SysUser user) {
 		SystemProperties.Administrator administrator = systemProperties.getAdministrator();
@@ -32,7 +34,7 @@ public boolean isAdminUser(SysUser user) {
 	public boolean hasModifyPermission(SysUser targetUser) {
 		// 如果需要修改的用户是超级管理员，则只能本人修改
 		if (this.isAdminUser(targetUser)) {
-			return SecurityUtils.getUser().getUsername().equals(targetUser.getUsername());
+			return principalAttributeAccessor.getName().equals(targetUser.getUsername());
 		}
 		return true;
 	}
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/component/AbstractPasswordHelper.java b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/component/AbstractPasswordHelper.java
new file mode 100644
index 0000000..52f2423
--- /dev/null
+++ b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/component/AbstractPasswordHelper.java
@@ -0,0 +1,61 @@
+package org.ballcat.business.system.component;
+
+import org.ballcat.business.system.properties.SystemProperties;
+import org.ballcat.common.core.exception.BusinessException;
+import org.ballcat.common.util.AesUtils;
+import org.ballcat.security.properties.SecurityProperties;
+import org.springframework.util.StringUtils;
+
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * 密码相关的操作的辅助类
+ *
+ * @author hccake
+ */
+public abstract class AbstractPasswordHelper implements PasswordHelper {
+
+	private final String passwordSecretKey;
+
+	private final Pattern passwordPattern;
+
+	public AbstractPasswordHelper(SecurityProperties securityProperties, SystemProperties systemProperties) {
+		this.passwordSecretKey = securityProperties.getPasswordSecretKey();
+		String passwordRule = systemProperties.getPasswordRule();
+		this.passwordPattern = StringUtils.hasText(passwordRule) ? Pattern.compile(passwordRule) : null;
+	}
+
+	/**
+	 * 将前端传递过来的密文解密为明文
+	 * @param aesPass AES加密后的密文
+	 * @return 明文密码
+	 */
+	public String decodeAes(String aesPass) {
+		try {
+			final byte[] secretKeyBytes = passwordSecretKey.getBytes();
+			final byte[] passBytes = java.util.Base64.getDecoder().decode(aesPass);
+			final byte[] bytes = AesUtils.cbcDecrypt(passBytes, secretKeyBytes, secretKeyBytes);
+			return new String(bytes, StandardCharsets.UTF_8);
+		}
+		catch (GeneralSecurityException ex) {
+			throw new BusinessException(400, "密码密文解密异常！");
+		}
+	}
+
+	/**
+	 * 校验密码是否符合规则
+	 * @param rawPassword 明文密码
+	 * @return 符合返回 true
+	 */
+	public boolean validateRule(String rawPassword) {
+		if (passwordPattern == null) {
+			return true;
+		}
+		Matcher matcher = passwordPattern.matcher(rawPassword);
+		return matcher.matches();
+	}
+
+}
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/component/PasswordHelper.java b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/component/PasswordHelper.java
index e45eed8..9e4b662 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/component/PasswordHelper.java
+++ b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/component/PasswordHelper.java
@@ -1,73 +1,31 @@
 package org.ballcat.business.system.component;
 
-import org.ballcat.business.system.properties.SystemProperties;
-import org.ballcat.common.core.exception.BusinessException;
-import org.ballcat.security.properties.SecurityProperties;
-import org.ballcat.springsecurity.util.PasswordUtils;
-import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.stereotype.Component;
-import org.springframework.util.StringUtils;
-
-import java.security.GeneralSecurityException;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
 /**
  * 密码相关的操作的辅助类
  *
  * @author hccake
  */
-@Component
-public class PasswordHelper {
-
-	private final SecurityProperties securityProperties;
-
-	private final PasswordEncoder passwordEncoder;
-
-	private final Pattern passwordPattern;
-
-	public PasswordHelper(SecurityProperties securityProperties, SystemProperties systemProperties,
-			PasswordEncoder passwordEncoder) {
-		this.securityProperties = securityProperties;
-		this.passwordEncoder = passwordEncoder;
-		String passwordRule = systemProperties.getPasswordRule();
-		this.passwordPattern = StringUtils.hasText(passwordRule) ? Pattern.compile(passwordRule) : null;
-	}
+public interface PasswordHelper {
 
 	/**
 	 * 密码加密，单向加密，不可逆
 	 * @param rawPassword 明文密码
 	 * @return 加密后的密文
 	 */
-	public String encode(String rawPassword) {
-		return passwordEncoder.encode(rawPassword);
-	}
+	String encode(String rawPassword);
 
 	/**
 	 * 将前端传递过来的密文解密为明文
 	 * @param aesPass AES加密后的密文
 	 * @return 明文密码
 	 */
-	public String decodeAes(String aesPass) {
-		try {
-			return PasswordUtils.decodeAES(aesPass, securityProperties.getPasswordSecretKey());
-		}
-		catch (GeneralSecurityException ex) {
-			throw new BusinessException(400, "密码密文解密异常！");
-		}
-	}
+	String decodeAes(String aesPass);
 
 	/**
 	 * 校验密码是否符合规则
 	 * @param rawPassword 明文密码
 	 * @return 符合返回 true
 	 */
-	public boolean validateRule(String rawPassword) {
-		if (passwordPattern == null) {
-			return true;
-		}
-		Matcher matcher = passwordPattern.matcher(rawPassword);
-		return matcher.matches();
-	}
+	boolean validateRule(String rawPassword);
 
 }
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/mapper/SysUserRoleMapper.java b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/mapper/SysUserRoleMapper.java
index d13ff2f..0d026fb 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/mapper/SysUserRoleMapper.java
+++ b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/mapper/SysUserRoleMapper.java
@@ -100,4 +100,11 @@ default boolean deleteUserRole(Long userId, String roleCode) {
 	 */
 	IPage<RoleBindUserVO> queryUserPageByRoleCode(IPage<RoleBindUserVO> page, @Param("qo") RoleBindUserQO roleCode);
 
+	/**
+	 * 通过用户ID，查询角色codes
+	 * @param userId 用户ID
+	 * @return 用户拥有的角色code集合
+	 */
+	List<String> selectRoleCodeByUserId(Long userId);
+
 }
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/SysUserRoleService.java b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/SysUserRoleService.java
index 4538617..6570178 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/SysUserRoleService.java
+++ b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/SysUserRoleService.java
@@ -63,4 +63,11 @@ public interface SysUserRoleService extends ExtendService<SysUserRole> {
 	 */
 	boolean unbindRoleUser(Long userId, String roleCode);
 
+	/**
+	 * 通过用户ID，查询角色Code列表
+	 * @param userId 用户ID
+	 * @return List<String>
+	 */
+	List<String> listRoleCodes(Long userId);
+
 }
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/impl/SysUserRoleServiceImpl.java b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/impl/SysUserRoleServiceImpl.java
index 73cbb0e..1378d9a 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/impl/SysUserRoleServiceImpl.java
+++ b/ballcat-business-system/ballcat-system-biz/src/main/java/org/ballcat/business/system/service/impl/SysUserRoleServiceImpl.java
@@ -138,4 +138,9 @@ public boolean unbindRoleUser(Long userId, String roleCode) {
 		return !baseMapper.existsRoleBind(userId, roleCode) || baseMapper.deleteUserRole(userId, roleCode);
 	}
 
+	@Override
+	public List<String> listRoleCodes(Long userId) {
+		return baseMapper.selectRoleCodeByUserId(userId);
+	}
+
 }
diff --git a/ballcat-business-system/ballcat-system-biz/src/main/resources/mapper/SysUserRoleMapper.xml b/ballcat-business-system/ballcat-system-biz/src/main/resources/mapper/SysUserRoleMapper.xml
index f25deb3..e9f5319 100644
--- a/ballcat-business-system/ballcat-system-biz/src/main/resources/mapper/SysUserRoleMapper.xml
+++ b/ballcat-business-system/ballcat-system-biz/src/main/resources/mapper/SysUserRoleMapper.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
 <mapper namespace="org.ballcat.business.system.mapper.SysUserRoleMapper">
-	<!-- 通过用户ID查询其关联的角色ID-->
+	<!-- 通过用户ID查询其关联的角色-->
 	<select id="listRoleByUserId" resultType="org.ballcat.business.system.model.entity.SysRole">
         SELECT
             r.id, r.name, r.code, r.type, r.scope_type, r.scope_resources
@@ -14,7 +14,6 @@
         and r.deleted = 0
     </select>
 
-
 	<!-- 通过角色Code查询其关联的用户列表-->
 	<select id="queryUserPageByRoleCode" resultType="org.ballcat.business.system.model.vo.RoleBindUserVO">
 		SELECT
@@ -38,4 +37,13 @@
 		</if>
 	</select>
 
+	<!-- 通过用户ID查询其关联的角色Codes-->
+    <select id="selectRoleCodeByUserId" resultType="java.lang.String">
+		SELECT
+			role_code
+		FROM
+			sys_user_role
+		WHERE user_id = #{userId}
+	</select>
+
 </mapper>
diff --git a/ballcat-business-system/ballcat-system-controller/pom.xml b/ballcat-business-system/ballcat-system-controller/pom.xml
index 8c751c1..ece7416 100644
--- a/ballcat-business-system/ballcat-system-controller/pom.xml
+++ b/ballcat-business-system/ballcat-system-controller/pom.xml
@@ -18,5 +18,9 @@
 			<groupId>org.ballcat</groupId>
 			<artifactId>ballcat-log</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-security-core</artifactId>
+		</dependency>
 	</dependencies>
 </project>
diff --git a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysMenuController.java b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysMenuController.java
index 54efe3c..fe4fc9c 100644
--- a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysMenuController.java
+++ b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysMenuController.java
@@ -3,6 +3,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.ballcat.business.system.converter.SysMenuConverter;
 import org.ballcat.business.system.enums.SysMenuType;
 import org.ballcat.business.system.model.dto.SysMenuCreateDTO;
@@ -13,15 +14,15 @@
 import org.ballcat.business.system.model.vo.SysMenuPageVO;
 import org.ballcat.business.system.model.vo.SysMenuRouterVO;
 import org.ballcat.business.system.service.SysMenuService;
+import org.ballcat.business.system.service.SysUserRoleService;
 import org.ballcat.common.model.result.BaseResultCode;
 import org.ballcat.common.model.result.R;
+import org.ballcat.common.util.Assert;
 import org.ballcat.log.operation.annotation.CreateOperationLogging;
 import org.ballcat.log.operation.annotation.DeleteOperationLogging;
 import org.ballcat.log.operation.annotation.UpdateOperationLogging;
-import org.ballcat.springsecurity.oauth2.constant.UserAttributeNameConstants;
-import org.ballcat.springsecurity.oauth2.userdetails.User;
-import org.ballcat.springsecurity.util.SecurityUtils;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
+import org.ballcat.security.core.PrincipalAttributeAccessor;
 import org.springframework.util.CollectionUtils;
 import org.springframework.web.bind.annotation.*;
 
@@ -34,6 +35,7 @@
  *
  * @author hccake 2021-04-06 17:59:51
  */
+@Slf4j
 @RestController
 @RequiredArgsConstructor
 @RequestMapping("/system/menu")
@@ -42,6 +44,10 @@ public class SysMenuController {
 
 	private final SysMenuService sysMenuService;
 
+	private final SysUserRoleService userRoleService;
+
+	private final PrincipalAttributeAccessor principalAttributeAccessor;
+
 	/**
 	 * 返回当前用户的路由集合
 	 * @return 当前用户的路由
@@ -50,16 +56,11 @@ public class SysMenuController {
 	@Operation(summary = "动态路由", description = "动态路由")
 	public R<List<SysMenuRouterVO>> getUserPermission() {
 		// 获取角色Code
-		User user = SecurityUtils.getUser();
-		Map<String, Object> attributes = user.getAttributes();
-
-		Object rolesObject = attributes.get(UserAttributeNameConstants.ROLE_CODES);
-		if (!(rolesObject instanceof Collection)) {
-			return R.ok(new ArrayList<>());
-		}
+		Long userId = principalAttributeAccessor.getUserId();
+		Assert.notNull(userId, () -> new SecurityException("获取登录用户信息失败！"));
 
-		@SuppressWarnings("unchecked")
-		Collection<String> roleCodes = (Collection<String>) rolesObject;
+		// 获取用户角色
+		List<String> roleCodes = userRoleService.listRoleCodes(userId);
 		if (CollectionUtils.isEmpty(roleCodes)) {
 			return R.ok(new ArrayList<>());
 		}
@@ -84,7 +85,7 @@ public R<List<SysMenuRouterVO>> getUserPermission() {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/list")
-	@PreAuthorize("@per.hasPermission('system:menu:read')")
+	@Authorize("hasPermission('system:menu:read')")
 	@Operation(summary = "查询菜单列表", description = "查询菜单列表")
 	public R<List<SysMenuPageVO>> getSysMenuPage(SysMenuQO sysMenuQO) {
 		List<SysMenu> sysMenus = sysMenuService.listOrderBySort(sysMenuQO);
@@ -102,7 +103,7 @@ public R<List<SysMenuPageVO>> getSysMenuPage(SysMenuQO sysMenuQO) {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/grant-list")
-	@PreAuthorize("@per.hasPermission('system:menu:read')")
+	@Authorize("hasPermission('system:menu:read')")
 	@Operation(summary = "查询授权菜单列表", description = "查询授权菜单列表")
 	public R<List<SysMenuGrantVO>> getSysMenuGrantList() {
 		List<SysMenu> sysMenus = sysMenuService.list();
@@ -122,7 +123,7 @@ public R<List<SysMenuGrantVO>> getSysMenuGrantList() {
 	 */
 	@CreateOperationLogging(msg = "新增菜单权限")
 	@PostMapping
-	@PreAuthorize("@per.hasPermission('system:menu:add')")
+	@Authorize("hasPermission('system:menu:add')")
 	@Operation(summary = "新增菜单权限", description = "新增菜单权限")
 	public R<Void> save(@Valid @RequestBody SysMenuCreateDTO sysMenuCreateDTO) {
 		return sysMenuService.create(sysMenuCreateDTO) ? R.ok()
@@ -136,7 +137,7 @@ public R<Void> save(@Valid @RequestBody SysMenuCreateDTO sysMenuCreateDTO) {
 	 */
 	@UpdateOperationLogging(msg = "修改菜单权限")
 	@PutMapping
-	@PreAuthorize("@per.hasPermission('system:menu:edit')")
+	@Authorize("hasPermission('system:menu:edit')")
 	@Operation(summary = "修改菜单权限", description = "修改菜单权限")
 	public R<Void> updateById(@RequestBody SysMenuUpdateDTO sysMenuUpdateDTO) {
 		sysMenuService.update(sysMenuUpdateDTO);
@@ -150,7 +151,7 @@ public R<Void> updateById(@RequestBody SysMenuUpdateDTO sysMenuUpdateDTO) {
 	 */
 	@DeleteOperationLogging(msg = "通过id删除菜单权限")
 	@DeleteMapping("/{id}")
-	@PreAuthorize("@per.hasPermission('system:menu:del')")
+	@Authorize("hasPermission('system:menu:del')")
 	@Operation(summary = "通过id删除菜单权限", description = "通过id删除菜单权限")
 	public R<Void> removeById(@PathVariable("id") Long id) {
 		return sysMenuService.removeById(id) ? R.ok() : R.failed(BaseResultCode.UPDATE_DATABASE_ERROR, "通过id删除菜单权限失败");
diff --git a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysOrganizationController.java b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysOrganizationController.java
index c2d0adb..069f83a 100644
--- a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysOrganizationController.java
+++ b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysOrganizationController.java
@@ -15,7 +15,7 @@
 import org.ballcat.log.operation.annotation.CreateOperationLogging;
 import org.ballcat.log.operation.annotation.DeleteOperationLogging;
 import org.ballcat.log.operation.annotation.UpdateOperationLogging;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.util.CollectionUtils;
 import org.springframework.web.bind.annotation.*;
 
@@ -42,7 +42,7 @@ public class SysOrganizationController {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/list")
-	@PreAuthorize("@per.hasPermission('system:organization:read')")
+	@Authorize("hasPermission('system:organization:read')")
 	@Operation(summary = "组织架构列表查询")
 	public R<List<SysOrganizationVO>> listOrganization() {
 		List<SysOrganization> list = sysOrganizationService.list();
@@ -62,7 +62,7 @@ public R<List<SysOrganizationVO>> listOrganization() {
 	 * @return R 通用返回体
 	 */
 	@GetMapping("/tree")
-	@PreAuthorize("@per.hasPermission('system:organization:read')")
+	@Authorize("hasPermission('system:organization:read')")
 	@Operation(summary = "组织架构树查询")
 	public R<List<SysOrganizationTree>> getOrganizationTree(SysOrganizationQO qo) {
 		return R.ok(sysOrganizationService.listTree(qo));
@@ -75,7 +75,7 @@ public R<List<SysOrganizationTree>> getOrganizationTree(SysOrganizationQO qo) {
 	 */
 	@CreateOperationLogging(msg = "新增组织架构")
 	@PostMapping
-	@PreAuthorize("@per.hasPermission('system:organization:add')")
+	@Authorize("hasPermission('system:organization:add')")
 	@Operation(summary = "新增组织架构")
 	public R<Void> save(@RequestBody SysOrganizationDTO sysOrganizationDTO) {
 		return sysOrganizationService.create(sysOrganizationDTO) ? R.ok()
@@ -89,7 +89,7 @@ public R<Void> save(@RequestBody SysOrganizationDTO sysOrganizationDTO) {
 	 */
 	@UpdateOperationLogging(msg = "修改组织架构")
 	@PutMapping
-	@PreAuthorize("@per.hasPermission('system:organization:edit')")
+	@Authorize("hasPermission('system:organization:edit')")
 	@Operation(summary = "修改组织架构")
 	public R<Void> updateById(@RequestBody SysOrganizationDTO sysOrganizationDTO) {
 		return sysOrganizationService.update(sysOrganizationDTO) ? R.ok()
@@ -103,7 +103,7 @@ public R<Void> updateById(@RequestBody SysOrganizationDTO sysOrganizationDTO) {
 	 */
 	@DeleteOperationLogging(msg = "通过id删除组织架构")
 	@DeleteMapping("/{id}")
-	@PreAuthorize("@per.hasPermission('system:organization:del')")
+	@Authorize("hasPermission('system:organization:del')")
 	@Operation(summary = "通过id删除组织架构")
 	public R<Void> removeById(@PathVariable("id") Long id) {
 		return sysOrganizationService.removeById(id) ? R.ok()
@@ -116,7 +116,7 @@ public R<Void> removeById(@PathVariable("id") Long id) {
 	 */
 	@UpdateOperationLogging(msg = "校正组织机构层级和深度")
 	@PatchMapping("/revised")
-	@PreAuthorize("@per.hasPermission('system:organization:revised')")
+	@Authorize("hasPermission('system:organization:revised')")
 	@Operation(summary = "校正组织机构层级和深度")
 	public R<Void> revisedHierarchyAndPath() {
 		return sysOrganizationService.revisedHierarchyAndPath() ? R.ok()
diff --git a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysRoleController.java b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysRoleController.java
index 442de28..63ee0c3 100644
--- a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysRoleController.java
+++ b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysRoleController.java
@@ -24,7 +24,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -63,7 +63,7 @@ public class SysRoleController {
 	 * @return PageResult 分页结果
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('system:role:read')")
+	@Authorize("hasPermission('system:role:read')")
 	public R<PageResult<SysRolePageVO>> getRolePage(@Validated PageParam pageParam, SysRoleQO sysRoleQo) {
 		return R.ok(sysRoleService.queryPage(pageParam, sysRoleQo));
 	}
@@ -74,7 +74,7 @@ public R<PageResult<SysRolePageVO>> getRolePage(@Validated PageParam pageParam,
 	 * @return 角色信息
 	 */
 	@GetMapping("/{id}")
-	@PreAuthorize("@per.hasPermission('system:role:read')")
+	@Authorize("hasPermission('system:role:read')")
 	public R<SysRole> getById(@PathVariable("id") Long id) {
 		return R.ok(sysRoleService.getById(id));
 	}
@@ -86,7 +86,7 @@ public R<SysRole> getById(@PathVariable("id") Long id) {
 	 */
 	@CreateOperationLogging(msg = "新增系统角色")
 	@PostMapping
-	@PreAuthorize("@per.hasPermission('system:role:add')")
+	@Authorize("hasPermission('system:role:add')")
 	@Operation(summary = "新增系统角色", description = "新增系统角色")
 	public R<Boolean> save(@Valid @RequestBody SysRole sysRole) {
 		return sysRoleService.save(sysRole) ? R.ok() : R.failed(BaseResultCode.UPDATE_DATABASE_ERROR, "新建角色失败");
@@ -99,7 +99,7 @@ public R<Boolean> save(@Valid @RequestBody SysRole sysRole) {
 	 */
 	@UpdateOperationLogging(msg = "修改系统角色")
 	@PutMapping
-	@PreAuthorize("@per.hasPermission('system:role:edit')")
+	@Authorize("hasPermission('system:role:edit')")
 	@Operation(summary = "修改系统角色", description = "修改系统角色")
 	public R<Boolean> update(@Valid @RequestBody SysRoleUpdateDTO roleUpdateDTO) {
 		SysRole sysRole = SysRoleConverter.INSTANCE.dtoToPo(roleUpdateDTO);
@@ -113,7 +113,7 @@ public R<Boolean> update(@Valid @RequestBody SysRoleUpdateDTO roleUpdateDTO) {
 	 */
 	@DeleteMapping("/{id}")
 	@DeleteOperationLogging(msg = "通过id删除系统角色")
-	@PreAuthorize("@per.hasPermission('system:role:del')")
+	@Authorize("hasPermission('system:role:del')")
 	@Operation(summary = "通过id删除系统角色", description = "通过id删除系统角色")
 	public R<Boolean> removeById(@PathVariable("id") Long id) {
 		SysRole oldRole = sysRoleService.getById(id);
@@ -143,7 +143,7 @@ public R<List<SysRole>> listRoles() {
 	 */
 	@PutMapping("/permission/code/{roleCode}")
 	@UpdateOperationLogging(msg = "更新角色权限")
-	@PreAuthorize("@per.hasPermission('system:role:grant')")
+	@Authorize("hasPermission('system:role:grant')")
 	@Operation(summary = "更新角色权限", description = "更新角色权限")
 	public R<Boolean> savePermissionIds(@PathVariable("roleCode") String roleCode, @RequestBody Long[] permissionIds) {
 		return R.ok(sysRoleMenuService.saveRoleMenus(roleCode, permissionIds));
@@ -176,7 +176,7 @@ public R<List<SelectData<Void>>> listSelectData() {
 	 * @return R
 	 */
 	@GetMapping("/user/page")
-	@PreAuthorize("@per.hasPermission('system:role:grant')")
+	@Authorize("hasPermission('system:role:grant')")
 	@Operation(summary = "查看已授权指定角色的用户列表", description = "查看已授权指定角色的用户列表")
 	public R<PageResult<RoleBindUserVO>> queryUserPageByRoleCode(PageParam pageParam,
 			@Valid RoleBindUserQO roleBindUserQO) {
@@ -188,7 +188,7 @@ public R<PageResult<RoleBindUserVO>> queryUserPageByRoleCode(PageParam pageParam
 	 * @return R
 	 */
 	@DeleteMapping("/user")
-	@PreAuthorize("@per.hasPermission('system:role:grant')")
+	@Authorize("hasPermission('system:role:grant')")
 	@Operation(summary = "解绑与用户绑定关系", description = "解绑与用户绑定关系")
 	public R<Boolean> unbindRoleUser(@RequestParam("userId") Long userId, @RequestParam("roleCode") String roleCode) {
 		return R.ok(sysUserRoleService.unbindRoleUser(userId, roleCode));
diff --git a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysUserController.java b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysUserController.java
index 2ff5013..bf2ac10 100644
--- a/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysUserController.java
+++ b/ballcat-business-system/ballcat-system-controller/src/main/java/org/ballcat/business/system/controller/SysUserController.java
@@ -28,7 +28,7 @@
 import io.swagger.v3.oas.annotations.tags.Tag;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.ballcat.security.annotation.Authorize;
 import org.springframework.util.CollectionUtils;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -75,7 +75,7 @@ public class SysUserController {
 	 * @return 用户集合
 	 */
 	@GetMapping("/page")
-	@PreAuthorize("@per.hasPermission('system:user:read')")
+	@Authorize("hasPermission('system:user:read')")
 	@Operation(summary = "分页查询系统用户")
 	public R<PageResult<SysUserPageVO>> getUserPage(@Validated PageParam pageParam, SysUserQO qo) {
 		return R.ok(sysUserService.queryPage(pageParam, qo));
@@ -86,7 +86,7 @@ public R<PageResult<SysUserPageVO>> getUserPage(@Validated PageParam pageParam,
 	 * @return 用户SelectData
 	 */
 	@GetMapping("/select")
-	@PreAuthorize("@per.hasPermission('system:user:read')")
+	@Authorize("hasPermission('system:user:read')")
 	@Operation(summary = "获取用户下拉列表数据")
 	public R<List<SelectData<Void>>> listSelectData(
 			@RequestParam(value = "userTypes", required = false) List<Integer> userTypes) {
@@ -99,7 +99,7 @@ public R<List<SelectData<Void>>> listSelectData(
 	 * @return SysUserInfo
 	 */
 	@GetMapping("/{userId}")
-	@PreAuthorize("@per.hasPermission('system:user:read')")
+	@Authorize("hasPermission('system:user:read')")
 	@Operation(summary = "获取指定用户的基本信息")
 	public R<SysUserInfo> getSysUserInfo(@PathVariable("userId") Long userId) {
 		SysUser sysUser = sysUserService.getById(userId);
@@ -117,7 +117,7 @@ public R<SysUserInfo> getSysUserInfo(@PathVariable("userId") Long userId) {
 	 */
 	@PostMapping
 	@CreateOperationLogging(msg = "新增系统用户")
-	@PreAuthorize("@per.hasPermission('system:user:add')")
+	@Authorize("hasPermission('system:user:add')")
 	@Operation(summary = "新增系统用户", description = "新增系统用户")
 	public R<Void> addSysUser(@Validated({ Default.class, CreateGroup.class }) @RequestBody SysUserDTO sysUserDTO) {
 		SysUser user = sysUserService.getByUsername(sysUserDTO.getUsername());
@@ -146,7 +146,7 @@ public R<Void> addSysUser(@Validated({ Default.class, CreateGroup.class }) @Requ
 	 */
 	@PutMapping
 	@UpdateOperationLogging(msg = "修改系统用户")
-	@PreAuthorize("@per.hasPermission('system:user:edit')")
+	@Authorize("hasPermission('system:user:edit')")
 	@Operation(summary = "修改系统用户", description = "修改系统用户")
 	public R<Void> updateUserInfo(@Validated({ Default.class, UpdateGroup.class }) @RequestBody SysUserDTO sysUserDto) {
 		return sysUserService.updateSysUser(sysUserDto) ? R.ok()
@@ -158,7 +158,7 @@ public R<Void> updateUserInfo(@Validated({ Default.class, UpdateGroup.class }) @
 	 */
 	@DeleteMapping("/{userId}")
 	@DeleteOperationLogging(msg = "通过id删除系统用户")
-	@PreAuthorize("@per.hasPermission('system:user:del')")
+	@Authorize("hasPermission('system:user:del')")
 	@Operation(summary = "通过id删除系统用户", description = "通过id删除系统用户")
 	public R<Void> deleteByUserId(@PathVariable("userId") Long userId) {
 		return sysUserService.deleteByUserId(userId) ? R.ok()
@@ -170,7 +170,7 @@ public R<Void> deleteByUserId(@PathVariable("userId") Long userId) {
 	 * @param userId userId
 	 */
 	@GetMapping("/scope/{userId}")
-	@PreAuthorize("@per.hasPermission('system:user:grant')")
+	@Authorize("hasPermission('system:user:grant')")
 	public R<SysUserScope> getUserRoleIds(@PathVariable("userId") Long userId) {
 
 		List<SysRole> roleList = sysUserRoleService.listRoles(userId);
@@ -193,7 +193,7 @@ public R<SysUserScope> getUserRoleIds(@PathVariable("userId") Long userId) {
 	 */
 	@PutMapping("/scope/{userId}")
 	@UpdateOperationLogging(msg = "系统用户授权")
-	@PreAuthorize("@per.hasPermission('system:user:grant')")
+	@Authorize("hasPermission('system:user:grant')")
 	@Operation(summary = "系统用户授权", description = "系统用户授权")
 	public R<Void> updateUserScope(@PathVariable("userId") Long userId, @RequestBody SysUserScope sysUserScope) {
 		return sysUserService.updateUserScope(userId, sysUserScope) ? R.ok()
@@ -205,7 +205,7 @@ public R<Void> updateUserScope(@PathVariable("userId") Long userId, @RequestBody
 	 */
 	@PutMapping("/pass/{userId}")
 	@UpdateOperationLogging(msg = "修改系统用户密码")
-	@PreAuthorize("@per.hasPermission('system:user:pass')")
+	@Authorize("hasPermission('system:user:pass')")
 	@Operation(summary = "修改系统用户密码", description = "修改系统用户密码")
 	public R<Void> updateUserPass(@PathVariable("userId") Long userId, @RequestBody SysUserPassDTO sysUserPassDTO) {
 		String pass = sysUserPassDTO.getPass();
@@ -230,7 +230,7 @@ public R<Void> updateUserPass(@PathVariable("userId") Long userId, @RequestBody
 	 */
 	@PutMapping("/status")
 	@UpdateOperationLogging(msg = "批量修改用户状态")
-	@PreAuthorize("@per.hasPermission('system:user:edit')")
+	@Authorize("hasPermission('system:user:edit')")
 	@Operation(summary = "批量修改用户状态", description = "批量修改用户状态")
 	public R<Void> updateUserStatus(@NotEmpty(message = "用户ID不能为空") @RequestBody List<Long> userIds,
 			@NotNull(message = "用户状态不能为空") @RequestParam("status") Integer status) {
@@ -244,7 +244,7 @@ public R<Void> updateUserStatus(@NotEmpty(message = "用户ID不能为空") @Req
 	}
 
 	@UpdateOperationLogging(msg = "修改系统用户头像")
-	@PreAuthorize("@per.hasPermission('system:user:edit')")
+	@Authorize("hasPermission('system:user:edit')")
 	@PostMapping("/avatar")
 	@Operation(summary = "修改系统用户头像", description = "修改系统用户头像")
 	public R<String> updateAvatar(@RequestParam("file") MultipartFile file, @RequestParam("userId") Long userId) {
diff --git a/db/2ballcat-1.3.0.sql b/db/2ballcat-1.3.0.sql
index f3b2fa8..fcb6c02 100644
--- a/db/2ballcat-1.3.0.sql
+++ b/db/2ballcat-1.3.0.sql
@@ -614,7 +614,6 @@ INSERT INTO `sys_user_role` VALUES (1, 1, 'ROLE_ADMIN');
 INSERT INTO `sys_user_role` VALUES (6, 10, 'ROLE_SALES_EXECUTIVE');
 INSERT INTO `sys_user_role` VALUES (4, 1, 'ROLE_TEST');
 
-
 /*
 IMPORTANT:
     If using PostgreSQL, update ALL columns defined with 'blob' to 'text',