diff --git a/report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java b/report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java
index d748a558..04b94719 100644
--- a/report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java
+++ b/report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java
@@ -4,8 +4,10 @@ package com.anjiplus.template.gaea.business.filter;
 import com.alibaba.fastjson.JSONObject;
 import com.anji.plus.gaea.bean.ResponseBean;
 import com.anji.plus.gaea.cache.CacheHelper;
+import com.anji.plus.gaea.constant.GaeaConstant;
 import com.anji.plus.gaea.utils.JwtBean;
 import com.anjiplus.template.gaea.business.constant.BusinessConstant;
+import com.anjiplus.template.gaea.business.modules.accessuser.controller.dto.GaeaUserDto;
 import com.anjiplus.template.gaea.business.util.JwtUtil;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.entity.ContentType;
@@ -14,13 +16,20 @@ import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpMethod;
 import org.springframework.stereotype.Component;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.CollectionUtils;
 
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.List;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+import static com.anji.plus.gaea.constant.GaeaConstant.URL_REPLACEMENT;
 
 /**
  * 简单的鉴权
@@ -33,6 +42,7 @@ public class TokenFilter implements Filter {
     private static final Pattern PATTERN = Pattern.compile(".*().*");
     private static final String USER_GUEST = "guest";
     private static final String SLASH = "/";
+    private AntPathMatcher antPathMatcher = new AntPathMatcher();
 
     @Autowired
     private CacheHelper cacheHelper;
@@ -115,6 +125,49 @@ public class TokenFilter implements Filter {
         }
         String gaeaUserJsonStr = cacheHelper.stringGet(userKey);
 
+        //判断接口权限
+        //请求路径
+        String requestUrl = request.getRequestURI();
+        String methodValue = request.getMethod();
+        //请求方法+#+请求路径
+        String urlKey = methodValue + GaeaConstant.URL_SPLIT + requestUrl;
+
+        GaeaUserDto gaeaUserDto = JSONObject.parseObject(gaeaUserJsonStr, GaeaUserDto.class);
+        List<String> authorities = gaeaUserDto.getAuthorities();
+        Map<String, String> applicationNameAllAuthorities = cacheHelper.hashGet(BusinessConstant.GAEA_SECURITY_AUTHORITIES);
+        AtomicBoolean authFlag = new AtomicBoolean(false);
+        //查询当前请求是否在对应的权限里。即：先精确匹配(保证当前路由是需要精确匹配还是模糊匹配，防止精确匹配的被模糊匹配）
+        // 比如：/user/info和/user/**同时存在，/user/info,被/user/**匹配掉
+        if (applicationNameAllAuthorities.containsKey(urlKey)) {
+            String permissionCode = applicationNameAllAuthorities.get(urlKey);
+            if (authorities.contains(permissionCode)) {
+                authFlag.set(true);
+            }
+        } else {
+            List<String> collect = applicationNameAllAuthorities.keySet().stream()
+                    .filter(key -> StringUtils.isNotBlank(key) && key.contains(URL_REPLACEMENT))
+                    .filter(key -> antPathMatcher.match(key, urlKey)).collect(Collectors.toList());
+            if (CollectionUtils.isEmpty(collect)) {
+                authFlag.set(true);
+            }else {
+                collect.forEach(key -> {
+                    String permissionCode = applicationNameAllAuthorities.getOrDefault(key, "");
+                    if (authorities.contains(permissionCode)) {
+                        authFlag.set(true);
+                    }
+                });
+            }
+        }
+
+        if (!authFlag.get()) {
+            //无权限
+            authError(response);
+            return;
+        }
+
+
+
+
         // 延长有效期
         cacheHelper.stringSetExpire(tokenKey, token, 3600);
         cacheHelper.stringSetExpire(userKey, gaeaUserJsonStr, 3600);
@@ -180,4 +233,10 @@ public class TokenFilter implements Filter {
         response.setContentType(ContentType.APPLICATION_JSON.getMimeType());
         response.getWriter().print(JSONObject.toJSONString(responseBean));
     }
+
+    private void authError(HttpServletResponse response) throws IOException {
+        ResponseBean responseBean = ResponseBean.builder().code("User.no.authority").message("没有权限").build();
+        response.setContentType(ContentType.APPLICATION_JSON.getMimeType());
+        response.getWriter().print(JSONObject.toJSONString(responseBean));
+    }
 }