diff --git a/blog-admin/src/main/java/com/zyd/blog/controller/ErrorPagesController.java b/blog-admin/src/main/java/com/zyd/blog/controller/ErrorPagesController.java
new file mode 100644
index 0000000000000000000000000000000000000000..827bf9f3cc0dab6ab76bb9ee70391bb41708c91e
--- /dev/null
+++ b/blog-admin/src/main/java/com/zyd/blog/controller/ErrorPagesController.java
@@ -0,0 +1,194 @@
+/**
+ * MIT License
+ * Copyright (c) 2018 yadong.zhang
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+package com.zyd.blog.controller;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.web.ErrorAttributes;
+import org.springframework.boot.autoconfigure.web.ErrorController;
+import org.springframework.boot.autoconfigure.web.ErrorProperties;
+import org.springframework.boot.autoconfigure.web.ServerProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Controller;
+import org.springframework.util.Assert;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.ServletRequestAttributes;
+import org.springframework.web.servlet.ModelAndView;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Map;
+
+/**
+ * 重写BasicErrorController,主要负责系统的异常页面的处理以及错误信息的显示
+ * <p/>
+ * 此处指需要记录
+ * @see org.springframework.boot.autoconfigure.web.BasicErrorController
+ * @see org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration
+ * <p/>
+ * 要注意，这个类里面的代码一定不能有异常或者潜在异常发生，否则可能会让程序陷入死循环。
+ * <p/>
+ *
+ * @author yadong.zhang (yadong.zhang0415(a)gmail.com)
+ * @website https://www.zhyd.me
+ * @version 1.0
+ * @date 2018/4/16 16:26
+ * @since 1.0
+ */
+@Controller
+@RequestMapping("/error")
+@EnableConfigurationProperties({ServerProperties.class})
+public class ErrorPagesController implements ErrorController {
+    private static final Logger LOG = LoggerFactory.getLogger(ErrorPagesController.class);
+
+    private ErrorAttributes errorAttributes;
+
+    @Autowired
+    private ServerProperties serverProperties;
+
+    /**
+     * 初始化ExceptionController
+     *
+     * @param errorAttributes
+     */
+    @Autowired
+    public ErrorPagesController(ErrorAttributes errorAttributes) {
+        Assert.notNull(errorAttributes, "ErrorAttributes must not be null");
+        this.errorAttributes = errorAttributes;
+    }
+
+    @RequestMapping("/404")
+    public ModelAndView errorHtml404(HttpServletRequest request, HttpServletResponse response) {
+        response.setStatus(HttpStatus.NOT_FOUND.value());
+        Map<String, Object> model = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.TEXT_HTML));
+
+        return new ModelAndView("error/404", model);
+    }
+
+    @RequestMapping("/403")
+    public ModelAndView errorHtml403(HttpServletRequest request, HttpServletResponse response) {
+        response.setStatus(HttpStatus.FORBIDDEN.value());
+        // 404拦截规则，如果是静态文件发生的404则不记录到DB
+        Map<String, Object> model = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.TEXT_HTML));
+        if (!String.valueOf(model.get("path")).contains(".")) {
+            model.put("status", HttpStatus.FORBIDDEN.value());
+        }
+        return new ModelAndView("error/403", model);
+    }
+
+    @RequestMapping("/400")
+    public ModelAndView errorHtml400(HttpServletRequest request, HttpServletResponse response) {
+        response.setStatus(HttpStatus.BAD_REQUEST.value());
+        Map<String, Object> model = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.TEXT_HTML));
+        return new ModelAndView("error/400", model);
+    }
+
+    @RequestMapping("/401")
+    public ModelAndView errorHtml401(HttpServletRequest request, HttpServletResponse response) {
+        response.setStatus(HttpStatus.UNAUTHORIZED.value());
+        Map<String, Object> model = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.TEXT_HTML));
+        return new ModelAndView("error/401", model);
+    }
+
+    @RequestMapping("/500")
+    public ModelAndView errorHtml500(HttpServletRequest request, HttpServletResponse response) {
+        response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
+        Map<String, Object> model = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.TEXT_HTML));
+        return new ModelAndView("error/500", model);
+    }
+
+    /**
+     * Determine if the stacktrace attribute should be included.
+     *
+     * @param request
+     *         the source request
+     * @param produces
+     *         the media type produced (or {@code MediaType.ALL})
+     * @return if the stacktrace attribute should be included
+     */
+    protected boolean isIncludeStackTrace(HttpServletRequest request,
+                                          MediaType produces) {
+        ErrorProperties.IncludeStacktrace include = this.serverProperties.getError().getIncludeStacktrace();
+        if (include == ErrorProperties.IncludeStacktrace.ALWAYS) {
+            return true;
+        }
+        return include == ErrorProperties.IncludeStacktrace.ON_TRACE_PARAM && getTraceParameter(request);
+    }
+
+
+    /**
+     * 获取错误的信息
+     *
+     * @param request
+     * @param includeStackTrace
+     * @return
+     */
+    private Map<String, Object> getErrorAttributes(HttpServletRequest request,
+                                                   boolean includeStackTrace) {
+        RequestAttributes requestAttributes = new ServletRequestAttributes(request);
+        return this.errorAttributes.getErrorAttributes(requestAttributes,
+                includeStackTrace);
+    }
+
+    /**
+     * 是否包含trace
+     *
+     * @param request
+     * @return
+     */
+    private boolean getTraceParameter(HttpServletRequest request) {
+        String parameter = request.getParameter("trace");
+        return parameter != null && !"false".equalsIgnoreCase(parameter);
+    }
+
+    /**
+     * 获取错误编码
+     *
+     * @param request
+     * @return
+     */
+    private HttpStatus getStatus(HttpServletRequest request) {
+        Integer statusCode = (Integer) request
+                .getAttribute("javax.servlet.error.status_code");
+        if (statusCode == null) {
+            return HttpStatus.INTERNAL_SERVER_ERROR;
+        }
+        try {
+            return HttpStatus.valueOf(statusCode);
+        } catch (Exception ex) {
+            LOG.error("获取当前HttpStatus发生异常", ex);
+            return HttpStatus.INTERNAL_SERVER_ERROR;
+        }
+    }
+
+    /**
+     * 实现错误路径,暂时无用
+     *
+     * @return
+     */
+    @Override
+    public String getErrorPath() {
+        return "";
+    }
+}
diff --git a/blog-admin/src/main/java/com/zyd/blog/controller/PassportController.java b/blog-admin/src/main/java/com/zyd/blog/controller/PassportController.java
index bf3a8e511db6d59828838ea3ce661c3c87c082f9..ce6838d052bad0972bc28cf71472842cf02d5873 100644
--- a/blog-admin/src/main/java/com/zyd/blog/controller/PassportController.java
+++ b/blog-admin/src/main/java/com/zyd/blog/controller/PassportController.java
@@ -20,8 +20,8 @@
 package com.zyd.blog.controller;
 
 import com.zyd.blog.business.annotation.BussinessLog;
-import com.zyd.blog.framework.property.AppProperties;
 import com.zyd.blog.framework.object.ResponseVO;
+import com.zyd.blog.framework.property.AppProperties;
 import com.zyd.blog.util.ResultUtil;
 import com.zyd.blog.util.SessionUtil;
 import org.apache.shiro.SecurityUtils;
@@ -60,6 +60,10 @@ public class PassportController {
     @BussinessLog("进入登录页面")
     @GetMapping("/login")
     public ModelAndView login(Model model) {
+        Subject subject = SecurityUtils.getSubject();
+        if (subject.isAuthenticated()||subject.isRemembered()){
+            return ResultUtil.redirect("/index");
+        }
         model.addAttribute("enableKaptcha", config.getEnableKaptcha());
         return ResultUtil.view("/login");
     }
diff --git a/blog-admin/src/main/java/com/zyd/blog/controller/RestArticleController.java b/blog-admin/src/main/java/com/zyd/blog/controller/RestArticleController.java
index ec1c702ee136eb30cfc28f1ee0743e947245a439..57e11b254a347df1e5f9245a3602e0abab066c71 100644
--- a/blog-admin/src/main/java/com/zyd/blog/controller/RestArticleController.java
+++ b/blog-admin/src/main/java/com/zyd/blog/controller/RestArticleController.java
@@ -33,6 +33,7 @@ import com.zyd.blog.framework.object.ResponseVO;
 import com.zyd.blog.util.FileUtil;
 import com.zyd.blog.util.ResultUtil;
 import com.zyd.blog.util.SessionUtil;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -58,6 +59,7 @@ public class RestArticleController {
     @Autowired
     private BizArticleTagsService articleTagsService;
 
+    @RequiresPermissions("articles")
     @PostMapping("/list")
     public PageResult list(ArticleConditionVO vo) {
         PageHelper.startPage(vo.getPageNumber() - 1, vo.getPageSize());
diff --git a/blog-admin/src/main/java/com/zyd/blog/controller/RestCommentController.java b/blog-admin/src/main/java/com/zyd/blog/controller/RestCommentController.java
index 43f98a9039b8215f54725c8d7a98e977142d14e9..5ccf49aa099f04e0c4d5af0a06412aaab0bebeee 100644
--- a/blog-admin/src/main/java/com/zyd/blog/controller/RestCommentController.java
+++ b/blog-admin/src/main/java/com/zyd/blog/controller/RestCommentController.java
@@ -36,6 +36,7 @@ import com.zyd.blog.framework.object.PageResult;
 import com.zyd.blog.framework.object.ResponseVO;
 import com.zyd.blog.util.ResultUtil;
 import com.zyd.blog.util.SessionUtil;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -61,6 +62,7 @@ public class RestCommentController {
     @Autowired
     private MailService mailService;
 
+    @RequiresPermissions("comments")
     @PostMapping("/list")
     public PageResult list(CommentConditionVO vo) {
         PageHelper.startPage(vo.getPageNumber() - 1, vo.getPageSize());
diff --git a/blog-admin/src/main/java/com/zyd/blog/controller/RestResourcesController.java b/blog-admin/src/main/java/com/zyd/blog/controller/RestResourcesController.java
index 472967fbde04b19b777b66b6fbef0fbc088808bf..c2f4a6de0c3145121b8d3105f2deaf2aa371244d 100644
--- a/blog-admin/src/main/java/com/zyd/blog/controller/RestResourcesController.java
+++ b/blog-admin/src/main/java/com/zyd/blog/controller/RestResourcesController.java
@@ -29,7 +29,6 @@ import com.zyd.blog.core.shiro.ShiroService;
 import com.zyd.blog.framework.object.PageResult;
 import com.zyd.blog.framework.object.ResponseVO;
 import com.zyd.blog.util.ResultUtil;
-import com.zyd.blog.util.SessionUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.cache.annotation.CacheEvict;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -37,9 +36,7 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 
 /**
  * 系统资源管理
@@ -71,15 +68,6 @@ public class RestResourcesController {
         return ResultUtil.success(null, resourcesService.queryResourcesListWithSelected(rid));
     }
 
-    @PostMapping("/loadMenu")
-    public List<Resources> loadMenu() {
-        Map<String, Object> map = new HashMap<>();
-        Long userId = SessionUtil.getUser().getId();
-        map.put("type", "menu");
-        map.put("userId", userId);
-        return resourcesService.listUserResources(map);
-    }
-
     @PostMapping("/listParents")
     public List<Resources> listParents() {
         return resourcesService.listAllParentResource();
diff --git a/blog-admin/src/main/java/com/zyd/blog/controller/RestRoleController.java b/blog-admin/src/main/java/com/zyd/blog/controller/RestRoleController.java
index ac571e400fc2e6db7902e114419d5eea174dce9f..76f27083912a7642307d57a452c8eea9b78a93e1 100644
--- a/blog-admin/src/main/java/com/zyd/blog/controller/RestRoleController.java
+++ b/blog-admin/src/main/java/com/zyd/blog/controller/RestRoleController.java
@@ -26,6 +26,7 @@ import com.zyd.blog.business.enums.ResponseStatus;
 import com.zyd.blog.business.service.SysRoleResourcesService;
 import com.zyd.blog.business.service.SysRoleService;
 import com.zyd.blog.business.vo.RoleConditionVO;
+import com.zyd.blog.core.shiro.ShiroService;
 import com.zyd.blog.framework.object.PageResult;
 import com.zyd.blog.framework.object.ResponseVO;
 import com.zyd.blog.util.ResultUtil;
@@ -54,6 +55,8 @@ public class RestRoleController {
     private SysRoleService roleService;
     @Autowired
     private SysRoleResourcesService roleResourcesService;
+    @Autowired
+    private ShiroService shiroService;
 
     @PostMapping("/list")
     public PageResult getAll(RoleConditionVO vo) {
@@ -67,13 +70,14 @@ public class RestRoleController {
         return ResultUtil.success(null, roleService.queryRoleListWithSelected(uid));
     }
 
-    //分配角色
     @PostMapping("/saveRoleResources")
     public ResponseVO saveRoleResources(Long roleId, String resourcesId) {
         if (StringUtils.isEmpty(roleId)) {
             return ResultUtil.error("error");
         }
         roleResourcesService.addRoleResources(roleId, resourcesId);
+        // 重新加载所有拥有roleId的用户的权限信息
+        shiroService.reloadAuthorizingByRoleId(roleId);
         return ResultUtil.success("成功");
     }
 
diff --git a/blog-admin/src/main/java/com/zyd/blog/core/shiro/ShiroService.java b/blog-admin/src/main/java/com/zyd/blog/core/shiro/ShiroService.java
index 1584b49f15259036d4d417e9f687bd013480bba2..3346aa897391fa182726a84fb702d9a3e67949ae 100644
--- a/blog-admin/src/main/java/com/zyd/blog/core/shiro/ShiroService.java
+++ b/blog-admin/src/main/java/com/zyd/blog/core/shiro/ShiroService.java
@@ -20,14 +20,24 @@
 package com.zyd.blog.core.shiro;
 
 import com.zyd.blog.business.entity.Resources;
+import com.zyd.blog.business.entity.User;
 import com.zyd.blog.business.service.SysResourcesService;
+import com.zyd.blog.business.service.SysUserService;
+import com.zyd.blog.core.shiro.realm.ShiroRealm;
 import com.zyd.blog.framework.holder.SpringContextHolder;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.mgt.RealmSecurityManager;
 import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+import org.apache.shiro.subject.Subject;
 import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
 import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
 import org.apache.shiro.web.servlet.AbstractShiroFilter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 
 import java.util.LinkedHashMap;
@@ -45,8 +55,12 @@ import java.util.Map;
  */
 @Service
 public class ShiroService {
+
+    private static final Logger LOG = LoggerFactory.getLogger(ShiroService.class);
     @Autowired
     private SysResourcesService resourcesService;
+    @Autowired
+    private SysUserService userService;
 
     /**
      * 初始化权限
@@ -109,44 +123,41 @@ public class ShiroService {
                 String chainDefinition = entry.getValue().trim().replace(" ", "");
                 manager.createChain(url, chainDefinition);
             }
-
-            System.out.println("更新权限成功！！");
         }
     }
 
     /**
-     * 根据userId 清除当前session存在的用户的权限缓存
-     * @param userIds 已经修改了权限的userId
+     * 重新加载用户权限
+     *
+     * @param user
      */
-   /* public void clearUserAuthByUserId(List<Integer> userIds){
-        if(null == userIds || userIds.size() == 0)	return ;
-        //获取所有session
-        Collection<Session> sessions = redisSessionDAO.getActiveSessions();
-        //定义返回
-        List<SimplePrincipalCollection> list = new ArrayList<SimplePrincipalCollection>();
-        for (Session session:sessions){
-            //获取session登录信息。
-            Object obj = session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
-            if(null != obj && obj instanceof SimplePrincipalCollection){
-                //强转
-                SimplePrincipalCollection spc = (SimplePrincipalCollection)obj;
-                //判断用户，匹配用户ID。
-                obj = spc.getPrimaryPrincipal();
-                if(null != obj && obj instanceof User){
-                    User user = (User) obj;
-                    System.out.println("user:"+user);
-                    //比较用户ID，符合即加入集合
-                    if(null != user && userIds.contains(user.getId())){
-                        list.add(spc);
-                    }
-                }
-            }
+    public void reloadAuthorizingByUserId(User user) {
+        RealmSecurityManager rsm = (RealmSecurityManager) SecurityUtils.getSecurityManager();
+        ShiroRealm shiroRealm = (ShiroRealm) rsm.getRealms().iterator().next();
+        Subject subject = SecurityUtils.getSubject();
+        String realmName = subject.getPrincipals().getRealmNames().iterator().next();
+        SimplePrincipalCollection principals = new SimplePrincipalCollection(user.getId(), realmName);
+        subject.runAs(principals);
+        shiroRealm.getAuthorizationCache().remove(subject.getPrincipals());
+        subject.releaseRunAs();
+
+        LOG.info("用户[{}]的权限更新成功！！", user.getUsername());
+
+    }
+
+    /**
+     * 重新加载所有拥有roleId角色的用户的权限
+     *
+     * @param roleId
+     */
+    public void reloadAuthorizingByRoleId(Long roleId) {
+        List<User> userList = userService.listByRoleId(roleId);
+        if (CollectionUtils.isEmpty(userList)) {
+            return;
         }
-        RealmSecurityManager securityManager =
-                (RealmSecurityManager) SecurityUtils.getSecurityManager();
-        MyShiroRealm realm = (MyShiroRealm)securityManager.getRealms().iterator().next();
-        for (SimplePrincipalCollection simplePrincipalCollection : list) {
-            realm.clearCachedAuthorizationInfo(simplePrincipalCollection);
+        for (User user : userList) {
+            reloadAuthorizingByUserId(user);
         }
-    }*/
+    }
+
 }
diff --git a/blog-admin/src/main/java/com/zyd/blog/core/shiro/credentials/RetryLimitCredentialsMatcher.java b/blog-admin/src/main/java/com/zyd/blog/core/shiro/credentials/RetryLimitCredentialsMatcher.java
index 538395cd61a35a90a07b5eec50d204cbdca704f5..100343f011ca4737bb9f04f278528db718636a1b 100644
--- a/blog-admin/src/main/java/com/zyd/blog/core/shiro/credentials/RetryLimitCredentialsMatcher.java
+++ b/blog-admin/src/main/java/com/zyd/blog/core/shiro/credentials/RetryLimitCredentialsMatcher.java
@@ -19,7 +19,6 @@
  */
 package com.zyd.blog.core.shiro.credentials;
 
-import com.alibaba.fastjson.JSONObject;
 import com.zyd.blog.business.consts.SessionConst;
 import com.zyd.blog.business.entity.User;
 import com.zyd.blog.business.service.SysUserService;
@@ -34,7 +33,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.data.redis.core.ValueOperations;
 
-import javax.annotation.Resource;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -59,14 +57,14 @@ public class RetryLimitCredentialsMatcher extends CredentialsMatcher {
      */
     private static final String SHIRO_IS_LOCK = "shiro_is_lock_";
     @Autowired
-    RedisTemplate redisTemplate;
-    @Resource
+    private RedisTemplate redisTemplate;
+    @Autowired
     private SysUserService userService;
 
     @Override
     public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
-        User user = (User) info.getPrincipals().getPrimaryPrincipal();
-        LOGGER.info("== 验证用户：{}", JSONObject.toJSONString(user));
+        Long userId = (Long) info.getPrincipals().getPrimaryPrincipal();
+        User user = userService.getByPrimaryKey(userId);
         String username = user.getUsername();
         // 访问一次，计数一次
         ValueOperations<String, String> opsForValue = redisTemplate.opsForValue();
@@ -104,6 +102,6 @@ public class RetryLimitCredentialsMatcher extends CredentialsMatcher {
         // 当验证都通过后，把用户信息放在session里
         // 注：User必须实现序列化
         SecurityUtils.getSubject().getSession().setAttribute(SessionConst.USER_SESSION_KEY, user);
-        return matches;
+        return true;
     }
 }
diff --git a/blog-admin/src/main/java/com/zyd/blog/core/shiro/realm/ShiroRealm.java b/blog-admin/src/main/java/com/zyd/blog/core/shiro/realm/ShiroRealm.java
index 919c91808e3a23f797c853e1768330c353fd04c2..1f3f52da2b1b24d93254538ad4efd1e2b7963bff 100644
--- a/blog-admin/src/main/java/com/zyd/blog/core/shiro/realm/ShiroRealm.java
+++ b/blog-admin/src/main/java/com/zyd/blog/core/shiro/realm/ShiroRealm.java
@@ -58,7 +58,6 @@ public class ShiroRealm extends AuthorizingRealm {
 
     /**
      * 提供账户信息返回认证信息（用户的角色信息集合）
-     *
      */
     @Override
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
@@ -72,13 +71,13 @@ public class ShiroRealm extends AuthorizingRealm {
             throw new LockedAccountException("帐号已被锁定，禁止登录！");
         }
 
-        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
-                user,
+        // principal参数使用用户Id，方便动态刷新用户权限
+        return new SimpleAuthenticationInfo(
+                user.getId(),
                 user.getPassword(),
                 ByteSource.Util.bytes(username),
                 getName()
         );
-        return authenticationInfo;
     }
 
     /**
@@ -86,9 +85,9 @@ public class ShiroRealm extends AuthorizingRealm {
      */
     @Override
     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
-        User user = (User) SecurityUtils.getSubject().getPrincipal();
+        Long userId = (Long) SecurityUtils.getSubject().getPrincipal();
         Map<String, Object> map = new HashMap<String, Object>();
-        map.put("userId", user.getId());
+        map.put("userId", userId);
         List<Resources> resourcesList = resourcesService.listUserResources(map);
         // 权限信息对象info,用来存放查出的用户的所有的角色（role）及权限（permission）
         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
@@ -111,14 +110,4 @@ public class ShiroRealm extends AuthorizingRealm {
         return info;
     }
 
-    /**
-     * 指定principalCollection 清除
-     */
-  /*  public void clearCachedAuthorizationInfo(PrincipalCollection principalCollection) {
-
-        SimplePrincipalCollection principals = new SimplePrincipalCollection(
-                principalCollection, getName());
-        super.clearCachedAuthorizationInfo(principals);
-    }
-*/
 }
diff --git a/blog-admin/src/main/resources/static/assets/js/zhyd.core.js b/blog-admin/src/main/resources/static/assets/js/zhyd.core.js
index 7b12c53a92b257eed0cfbd95b27dd86df42e4b2c..e801216c8fcc73ce6de93271b2549d7d33ead1f5 100644
--- a/blog-admin/src/main/resources/static/assets/js/zhyd.core.js
+++ b/blog-admin/src/main/resources/static/assets/js/zhyd.core.js
@@ -205,31 +205,7 @@ $.fn.popover.Constructor.prototype.leave = function (a) {
     // zhyd.initSidebar();
     zhyd.initDaterangepicker();
     zhyd.initValidator();
-    var menuHtml = localStorage.getItem("menu");
-    if (menuHtml) {
-        $(".side-menu").append(menuHtml);
-        zhyd.initSidebar();
-    } else {
-        $.ajax({
-            cache: true,
-            type: "POST",
-            url: '/resources/loadMenu',
-            dataType: "json",
-            success: function (data) {
-                var html = "";
-                $.each(data, function (index) {
-                    console.log(this);
-                    this.hasNodes = this.nodes && this.nodes.length > 0;
-                    var tpl = '{{#hasNodes}}<li><a><i class="{{icon}}"></i> {{name}}<span class="fa fa-chevron-down"></span></a><ul class="nav child_menu">{{#nodes}}<li><a href="{{url}}"><i class="{{icon}}"></i>{{name}}</a></li>{{/nodes}}</ul></li>{{/hasNodes}}';
-                    tpl += '{{^hasNodes}}<li><a href="{{url}}"><i class="{{icon}}"></i> {{name}}</a></li>{{/hasNodes}}';
-                    html += Mustache.render(tpl, this);
-                });
-                localStorage.setItem("menu", html);
-                $(".side-menu").append(html);
-                zhyd.initSidebar();
-            }
-        });
-    }
+    zhyd.initSidebar();
 
     $.ajax({
         cache: false,
diff --git a/blog-admin/src/main/resources/templates/layout/sidebar.ftl b/blog-admin/src/main/resources/templates/layout/sidebar.ftl
index 122133fca590944f8a6883e6137c78dfc31a042c..e496aae3be62e0e0245b1feba44f933b3e81fff7 100644
--- a/blog-admin/src/main/resources/templates/layout/sidebar.ftl
+++ b/blog-admin/src/main/resources/templates/layout/sidebar.ftl
@@ -2,6 +2,24 @@
 <div id="sidebar-menu" class="main_menu_side hidden-print main_menu">
     <div class="menu_section">
         <ul class="nav side-menu">
+            <@zhydTag method="menus" userId="${user.id}">
+                <#if menus?? && menus?size gt 0>
+                    <#list menus as item>
+                        <#if item.nodes?? && item.nodes?size gt 0>
+                            <li>
+                                <a><i class="${item.icon?if_exists}"></i> ${item.name?if_exists}<span class="fa fa-chevron-down"></span></a>
+                                <ul class="nav child_menu">
+                                    <#list item.nodes as node>
+                                        <li><a href="${node.url?if_exists}"><i class="${node.icon?if_exists}"></i>${node.name?if_exists}</a></li>
+                                    </#list>
+                                </ul>
+                            </li>
+                        <#else>
+                            <li><a href="${item.url?if_exists}"><i class="${item.icon?if_exists}"></i>${item.name?if_exists}</a></li>
+                        </#if>
+                    </#list>
+                </#if>
+            </@zhydTag>
         </ul>
     </div>
 </div>
diff --git a/blog-core/src/main/java/com/zyd/blog/business/service/SysUserService.java b/blog-core/src/main/java/com/zyd/blog/business/service/SysUserService.java
index ed82ea8d1cd7229cd336fc1a492f8e71e30ee8a3..10f95343e73a20a75fb6824598c142c49e593ff5 100644
--- a/blog-core/src/main/java/com/zyd/blog/business/service/SysUserService.java
+++ b/blog-core/src/main/java/com/zyd/blog/business/service/SysUserService.java
@@ -25,6 +25,8 @@ import com.zyd.blog.business.entity.User;
 import com.zyd.blog.business.vo.UserConditionVO;
 import com.zyd.blog.framework.object.AbstractService;
 
+import java.util.List;
+
 /**
  * 用户
  *
@@ -60,4 +62,12 @@ public interface SysUserService extends AbstractService<User, Long> {
      */
     User getByUserName(String userName);
 
+    /**
+     * 通过角色Id获取用户列表
+     *
+     * @param roleId
+     * @return
+     */
+    List<User> listByRoleId(Long roleId);
+
 }
diff --git a/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysRoleServiceImpl.java b/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysRoleServiceImpl.java
index 1f70c5a0325fab0719a6a3a2e485e231e01cc98c..5904f7ac14042759adb970a6543a8bb7a872be61 100644
--- a/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysRoleServiceImpl.java
+++ b/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysRoleServiceImpl.java
@@ -121,11 +121,10 @@ public class SysRoleServiceImpl implements SysRoleService {
     public void insertList(List<Role> entities) {
         Assert.notNull(entities, "entities不可为空！");
         List<SysRole> sysRole = new ArrayList<>();
-        String regIp = IpUtil.getRealIp(RequestHolder.getRequest());
-        for (Role Role : entities) {
-            Role.setUpdateTime(new Date());
-            Role.setCreateTime(new Date());
-            sysRole.add(Role.getSysRole());
+        for (Role role : entities) {
+            role.setUpdateTime(new Date());
+            role.setCreateTime(new Date());
+            sysRole.add(role.getSysRole());
         }
         roleMapper.insertList(sysRole);
     }
diff --git a/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysUserServiceImpl.java b/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysUserServiceImpl.java
index 5ff0044293369a1a48b1a2e28b2f255d2ef66d67..63eb42eb4d62872288ea239f16ec4c28af1b0865 100644
--- a/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysUserServiceImpl.java
+++ b/blog-core/src/main/java/com/zyd/blog/business/service/impl/SysUserServiceImpl.java
@@ -250,4 +250,23 @@ public class SysUserServiceImpl implements SysUserService {
         return getOneByEntity(user);
     }
 
+    /**
+     * 通过角色Id获取用户列表
+     *
+     * @param roleId
+     * @return
+     */
+    @Override
+    public List<User> listByRoleId(Long roleId) {
+        List<SysUser> sysUsers = sysUserMapper.listByRoleId(roleId);
+        if (CollectionUtils.isEmpty(sysUsers)) {
+            return null;
+        }
+        List<User> users = new ArrayList<>();
+        for (SysUser su : sysUsers) {
+            users.add(new User(su));
+        }
+        return users;
+    }
+
 }
diff --git a/blog-core/src/main/java/com/zyd/blog/framework/tag/CustomTagDirective.java b/blog-core/src/main/java/com/zyd/blog/framework/tag/CustomTagDirective.java
index ce9854ac7c7c745d22ebfeb100da39b49fee0581..af6b4329685f7be1697e30d3214cce3f764e2ec8 100644
--- a/blog-core/src/main/java/com/zyd/blog/framework/tag/CustomTagDirective.java
+++ b/blog-core/src/main/java/com/zyd/blog/framework/tag/CustomTagDirective.java
@@ -28,8 +28,10 @@ import freemarker.core.Environment;
 import freemarker.template.*;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
 
 import java.io.IOException;
+import java.util.HashMap;
 import java.util.Map;
 
 /**
@@ -85,6 +87,20 @@ public class CustomTagDirective implements TemplateDirectiveModel {
                     // 站点属性
                     environment.setVariable("siteInfo", builder.build().wrap(configService.getSiteInfo()));
                     break;
+                case "menus":
+                    Integer userId = null;
+                    if (map.containsKey("userId")) {
+                        String userIdStr = map.get("userId").toString();
+                        if(StringUtils.isEmpty(userIdStr)){
+                            return;
+                        }
+                        userId = Integer.parseInt(userIdStr);
+                    }
+                    Map<String, Object> params = new HashMap<>(2);
+                    params.put("type", "menu");
+                    params.put("userId", userId);
+                    environment.setVariable("menus", builder.build().wrap(resourcesService.listUserResources(params)));
+                    break;
                 default:
                     break;
             }
diff --git a/blog-core/src/main/java/com/zyd/blog/persistence/mapper/SysUserMapper.java b/blog-core/src/main/java/com/zyd/blog/persistence/mapper/SysUserMapper.java
index d0f9c6422adf6627c10ffac19bc5672d90d9cbd4..0d9f120becabf20cec90a73a2e60353c14acb127 100644
--- a/blog-core/src/main/java/com/zyd/blog/persistence/mapper/SysUserMapper.java
+++ b/blog-core/src/main/java/com/zyd/blog/persistence/mapper/SysUserMapper.java
@@ -42,4 +42,6 @@ public interface SysUserMapper extends BaseMapper<SysUser> {
 
     List<SysUser> findPageBreakByCondition(UserConditionVO vo);
 
+    List<SysUser> listByRoleId(Long roleId);
+
 }
diff --git a/blog-core/src/main/resources/mybatis/SysUserMapper.xml b/blog-core/src/main/resources/mybatis/SysUserMapper.xml
index 7bbaa988f3ea3375a94af8d3d899da5bfc2fc0d3..bc72d99b8a5a14614e3c1ff8360c7932409fed86 100644
--- a/blog-core/src/main/resources/mybatis/SysUserMapper.xml
+++ b/blog-core/src/main/resources/mybatis/SysUserMapper.xml
@@ -80,5 +80,17 @@
 			s.create_time DESC
 	</select>
 
+	<select id="listByRoleId" parameterType="Long" resultMap="rm">
+		SELECT
+			s.id,
+			s.username,
+			s.nickname
+		FROM
+			sys_user s
+		INNER JOIN sys_user_role sur ON  sur.user_id = s.id
+		WHERE
+			sur.role_id = #{roleId}
+	</select>
+
 </mapper>