diff --git a/imooc-security-app/src/main/java/com/imooc/security/app/ImoocResourceServerConfig.java b/imooc-security-app/src/main/java/com/imooc/security/app/ImoocResourceServerConfig.java
index 72a90cf..a84b5a1 100644
--- a/imooc-security-app/src/main/java/com/imooc/security/app/ImoocResourceServerConfig.java
+++ b/imooc-security-app/src/main/java/com/imooc/security/app/ImoocResourceServerConfig.java
@@ -14,6 +14,7 @@
 
 import com.imooc.security.app.authentication.openid.OpenIdAuthenticationSecurityConfig;
 import com.imooc.security.core.authentication.mobile.SmsCodeAuthenticationSecurityConfig;
+import com.imooc.security.core.authorize.AuthorizeConfigManager;
 import com.imooc.security.core.properties.SecurityConstants;
 import com.imooc.security.core.properties.SecurityProperties;
 import com.imooc.security.core.validate.code.ValidateCodeSecurityConfig;
@@ -47,6 +48,9 @@ public class ImoocResourceServerConfig extends ResourceServerConfigurerAdapter {
 	@Autowired
 	private SecurityProperties securityProperties;
 	
+	@Autowired
+	private AuthorizeConfigManager authorizeConfigManager;
+	
 	@Override
 	public void configure(HttpSecurity http) throws Exception {
 		
@@ -64,22 +68,9 @@ public void configure(HttpSecurity http) throws Exception {
 				.and()
 			.apply(openIdAuthenticationSecurityConfig)
 				.and()
-			.authorizeRequests()
-				.antMatchers(
-					SecurityConstants.DEFAULT_UNAUTHENTICATION_URL,
-					SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_MOBILE,
-					SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_OPENID,
-					securityProperties.getBrowser().getLoginPage(),
-					SecurityConstants.DEFAULT_VALIDATE_CODE_URL_PREFIX+"/*",
-					securityProperties.getBrowser().getSignUpUrl(),
-					securityProperties.getBrowser().getSession().getSessionInvalidUrl(),
-					securityProperties.getBrowser().getSignOutUrl(),
-					"/user/regist", "/social/signUp")
-					.permitAll()
-				.anyRequest()
-				.authenticated()
-				.and()
 			.csrf().disable();
+		
+		authorizeConfigManager.config(http.authorizeRequests());
 	}
 
 }
\ No newline at end of file
diff --git a/imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityConfig.java b/imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityConfig.java
index cc61599..bfc3d51 100644
--- a/imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityConfig.java
+++ b/imooc-security-browser/src/main/java/com/imooc/security/browser/BrowserSecurityConfig.java
@@ -19,7 +19,7 @@
 
 import com.imooc.security.core.authentication.AbstractChannelSecurityConfig;
 import com.imooc.security.core.authentication.mobile.SmsCodeAuthenticationSecurityConfig;
-import com.imooc.security.core.properties.SecurityConstants;
+import com.imooc.security.core.authorize.AuthorizeConfigManager;
 import com.imooc.security.core.properties.SecurityProperties;
 import com.imooc.security.core.validate.code.ValidateCodeSecurityConfig;
 
@@ -57,6 +57,9 @@ public class BrowserSecurityConfig extends AbstractChannelSecurityConfig {
 	@Autowired
 	private LogoutSuccessHandler logoutSuccessHandler;
 	
+	@Autowired
+	private AuthorizeConfigManager authorizeConfigManager;
+	
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		
@@ -85,22 +88,10 @@ protected void configure(HttpSecurity http) throws Exception {
 				.logoutSuccessHandler(logoutSuccessHandler)
 				.deleteCookies("JSESSIONID")
 				.and()
-			.authorizeRequests()
-				.antMatchers(
-					SecurityConstants.DEFAULT_UNAUTHENTICATION_URL,
-					SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_MOBILE,
-					securityProperties.getBrowser().getLoginPage(),
-					SecurityConstants.DEFAULT_VALIDATE_CODE_URL_PREFIX+"/*",
-					securityProperties.getBrowser().getSignUpUrl(),
-					securityProperties.getBrowser().getSession().getSessionInvalidUrl(),
-					securityProperties.getBrowser().getSignOutUrl(),
-					"/user/regist")
-					.permitAll()
-				.anyRequest()
-				.authenticated()
-				.and()
 			.csrf().disable();
 		
+		authorizeConfigManager.config(http.authorizeRequests());
+		
 	}
 
 	@Bean
diff --git a/imooc-security-core/src/main/java/com/imooc/security/core/authorize/AuthorizeConfigManager.java b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/AuthorizeConfigManager.java
new file mode 100644
index 0000000..dc46141
--- /dev/null
+++ b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/AuthorizeConfigManager.java
@@ -0,0 +1,17 @@
+/**
+ * 
+ */
+package com.imooc.security.core.authorize;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+
+/**
+ * @author zhailiang
+ *
+ */
+public interface AuthorizeConfigManager {
+	
+	void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config);
+
+}
diff --git a/imooc-security-core/src/main/java/com/imooc/security/core/authorize/AuthorizeConfigProvider.java b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/AuthorizeConfigProvider.java
new file mode 100644
index 0000000..f937d13
--- /dev/null
+++ b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/AuthorizeConfigProvider.java
@@ -0,0 +1,17 @@
+/**
+ * 
+ */
+package com.imooc.security.core.authorize;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+
+/**
+ * @author zhailiang
+ *
+ */
+public interface AuthorizeConfigProvider {
+	
+	void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config);
+
+}
diff --git a/imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigManager.java b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigManager.java
new file mode 100644
index 0000000..4d82b52
--- /dev/null
+++ b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigManager.java
@@ -0,0 +1,31 @@
+/**
+ * 
+ */
+package com.imooc.security.core.authorize;
+
+import java.util.List;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author zhailiang
+ *
+ */
+@Component
+public class ImoocAuthorizeConfigManager implements AuthorizeConfigManager {
+	
+	@Autowired
+	private List<AuthorizeConfigProvider> authorizeConfigProviders;
+
+	@Override
+	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
+		for (AuthorizeConfigProvider authorizeConfigProvider : authorizeConfigProviders) {
+			authorizeConfigProvider.config(config);
+		}
+//		config.anyRequest().authenticated();
+	}
+
+}
diff --git a/imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigProvider.java b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigProvider.java
new file mode 100644
index 0000000..d5c1d3f
--- /dev/null
+++ b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/ImoocAuthorizeConfigProvider.java
@@ -0,0 +1,40 @@
+/**
+ * 
+ */
+package com.imooc.security.core.authorize;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.stereotype.Component;
+
+import com.imooc.security.core.properties.SecurityConstants;
+import com.imooc.security.core.properties.SecurityProperties;
+
+/**
+ * @author zhailiang
+ *
+ */
+@Component
+@Order(Integer.MIN_VALUE)
+public class ImoocAuthorizeConfigProvider implements AuthorizeConfigProvider {
+
+	@Autowired
+	private SecurityProperties securityProperties;
+	
+	@Override
+	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
+		config.antMatchers(
+				SecurityConstants.DEFAULT_UNAUTHENTICATION_URL,
+				SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_MOBILE,
+				SecurityConstants.DEFAULT_LOGIN_PROCESSING_URL_OPENID,
+				securityProperties.getBrowser().getLoginPage(),
+				SecurityConstants.DEFAULT_VALIDATE_CODE_URL_PREFIX+"/*",
+				securityProperties.getBrowser().getSignUpUrl(),
+				securityProperties.getBrowser().getSession().getSessionInvalidUrl(),
+				securityProperties.getBrowser().getSignOutUrl())
+		.permitAll();
+	}
+
+}
diff --git a/imooc-security-core/src/main/java/com/imooc/security/core/authorize/package-info.java b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/package-info.java
new file mode 100644
index 0000000..902e7e7
--- /dev/null
+++ b/imooc-security-core/src/main/java/com/imooc/security/core/authorize/package-info.java
@@ -0,0 +1,8 @@
+/**
+ * 
+ */
+/**
+ * @author zhailiang
+ *
+ */
+package com.imooc.security.core.authorize;
\ No newline at end of file
diff --git a/imooc-security-demo/pom.xml b/imooc-security-demo/pom.xml
index 4506262..530098a 100644
--- a/imooc-security-demo/pom.xml
+++ b/imooc-security-demo/pom.xml
@@ -10,13 +10,23 @@
 	</parent>
 
 	<dependencies>
-		<!-- <dependency> <groupId>com.imooc.security</groupId> <artifactId>imooc-security-browser</artifactId> 
-			<version>${imooc.security.version}</version> </dependency> -->
+		<dependency>
+			<groupId>com.imooc.security</groupId>
+			<artifactId>imooc-security-browser</artifactId>
+			<version>${imooc.security.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.imooc.security</groupId>
+			<artifactId>imooc-security-authorize</artifactId>
+			<version>${imooc.security.version}</version>
+		</dependency>
+		<!-- 
 		<dependency>
 			<groupId>com.imooc.security</groupId>
 			<artifactId>imooc-security-app</artifactId>
 			<version>${imooc.security.version}</version>
 		</dependency>
+		 -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
diff --git a/imooc-security-demo/src/main/java/com/imooc/security/DemoAuthorizeConifgProvider.java b/imooc-security-demo/src/main/java/com/imooc/security/DemoAuthorizeConifgProvider.java
new file mode 100644
index 0000000..fd2d542
--- /dev/null
+++ b/imooc-security-demo/src/main/java/com/imooc/security/DemoAuthorizeConifgProvider.java
@@ -0,0 +1,30 @@
+/**
+ * 
+ */
+package com.imooc.security;
+
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.stereotype.Component;
+
+import com.imooc.security.core.authorize.AuthorizeConfigProvider;
+
+/**
+ * @author zhailiang
+ *
+ */
+@Component
+@Order(Integer.MAX_VALUE)
+public class DemoAuthorizeConifgProvider implements AuthorizeConfigProvider {
+
+	/* (non-Javadoc)
+	 * @see com.imooc.security.core.authorize.AuthorizeConfigProvider#config(org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry)
+	 */
+	@Override
+	public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {
+		
+		config.anyRequest().access("@rbacService.hasPermission(request, authentication)");
+	}
+
+}
diff --git a/imooc-security-demo/src/main/java/com/imooc/security/DemoUserDetailsService.java b/imooc-security-demo/src/main/java/com/imooc/security/DemoUserDetailsService.java
index 041dee3..3582963 100644
--- a/imooc-security-demo/src/main/java/com/imooc/security/DemoUserDetailsService.java
+++ b/imooc-security-demo/src/main/java/com/imooc/security/DemoUserDetailsService.java
@@ -53,7 +53,7 @@ private SocialUserDetails buildUser(String userId) {
 		logger.info("数据库密码是:"+password);
 		return new SocialUser(userId, password,
 				true, true, true, true,
-				AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_USER"));
+				AuthorityUtils.commaSeparatedStringToAuthorityList("xxx"));
 	}
 
 }
diff --git a/imooc-security-demo/src/main/java/com/imooc/validator/MyConstraint.java b/imooc-security-demo/src/main/java/com/imooc/validator/MyConstraint.java
index 7457278..0581cf7 100644
--- a/imooc-security-demo/src/main/java/com/imooc/validator/MyConstraint.java
+++ b/imooc-security-demo/src/main/java/com/imooc/validator/MyConstraint.java
@@ -25,5 +25,7 @@
 	Class<?>[] groups() default { };
 
 	Class<? extends Payload>[] payload() default { };
+	
+	String field() default "";
 
 }
diff --git a/imooc-security-demo/src/main/java/com/imooc/web/controller/UserController.java b/imooc-security-demo/src/main/java/com/imooc/web/controller/UserController.java
index e3de5cc..d1e735a 100644
--- a/imooc-security-demo/src/main/java/com/imooc/web/controller/UserController.java
+++ b/imooc-security-demo/src/main/java/com/imooc/web/controller/UserController.java
@@ -10,7 +10,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.validation.Valid;
 
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.builder.ReflectionToStringBuilder;
 import org.apache.commons.lang.builder.ToStringStyle;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -32,12 +31,8 @@
 import com.fasterxml.jackson.annotation.JsonView;
 import com.imooc.dto.User;
 import com.imooc.dto.UserQueryCondition;
-import com.imooc.security.app.social.AppSingUpUtils;
-import com.imooc.security.core.properties.SecurityProperties;
 
-import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
-import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.MalformedJwtException;
 import io.jsonwebtoken.SignatureException;
 import io.jsonwebtoken.UnsupportedJwtException;
@@ -55,19 +50,19 @@ public class UserController {
 	@Autowired
 	private ProviderSignInUtils providerSignInUtils;
 	
-	@Autowired
-	private AppSingUpUtils appSingUpUtils;
+//	@Autowired
+//	private AppSingUpUtils appSingUpUtils;
 	
-	@Autowired
-	private SecurityProperties securityProperties;
+//	@Autowired
+//	private SecurityProperties securityProperties;
 	
 	@PostMapping("/regist")
 	public void regist(User user, HttpServletRequest request) {
 		
 		//不管是注册用户还是绑定用户，都会拿到一个用户唯一标识。
 		String userId = user.getUsername();
-		//providerSignInUtils.doPostSignUp(userId, new ServletWebRequest(request));
-		appSingUpUtils.doPostSignUp(new ServletWebRequest(request), userId);
+		providerSignInUtils.doPostSignUp(userId, new ServletWebRequest(request));
+//		appSingUpUtils.doPostSignUp(new ServletWebRequest(request), userId);
 	}
 	
 	@GetMapping("/me")
diff --git a/imooc-security-demo/src/main/resources/application.properties b/imooc-security-demo/src/main/resources/application.properties
index 6a48595..82d6542 100644
--- a/imooc-security-demo/src/main/resources/application.properties
+++ b/imooc-security-demo/src/main/resources/application.properties
@@ -3,14 +3,13 @@ spring.datasource.url= jdbc:mysql://127.0.0.1:3306/imooc-demo?useUnicode=yes&cha
 spring.datasource.username = root
 spring.datasource.password = 123456
 
-spring.session.store-type = REDIS
+spring.session.store-type = none
 
 server.session.timeout = 600
 
 #security.basic.enabled = false
 
-server.port = 9999
-server.context-path = /sso
+server.port = 8060
 
 #imooc.security.browser.loginPage = /demo-signIn.html
 #imooc.security.browser.loginType = REDIRECT
diff --git a/imooc-security-demo/src/main/resources/resources/demo.html b/imooc-security-demo/src/main/resources/resources/demo.html
new file mode 100644
index 0000000..0b5c098
--- /dev/null
+++ b/imooc-security-demo/src/main/resources/resources/demo.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<title>Insert title here</title>
+</head>
+<body>
+	DEMO
+</body>
+</html>
\ No newline at end of file
diff --git a/imooc-security-demo/src/main/resources/resources/error/403.html b/imooc-security-demo/src/main/resources/resources/error/403.html
new file mode 100644
index 0000000..e1d5426
--- /dev/null
+++ b/imooc-security-demo/src/main/resources/resources/error/403.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<title>403</title>
+</head>
+<body>
+	您无权访问此页面
+</body>
+</html>
\ No newline at end of file