diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/UserApplication.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/UserApplication.java
new file mode 100644
index 0000000..85c853c
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/UserApplication.java
@@ -0,0 +1,16 @@
+package com.supwisdom.leaveschool.user;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+import com.supwisdom.infras.data.jpa.EnableInfrasDataJpa;
+
+@SpringBootApplication
+@EnableInfrasDataJpa
+public class UserApplication {
+
+  public static void main(String[] args) {
+    SpringApplication.run(UserApplication.class, args);
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/config/FilterConfig.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/config/FilterConfig.java
new file mode 100644
index 0000000..d029ef7
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/config/FilterConfig.java
@@ -0,0 +1,14 @@
+package com.supwisdom.leaveschool.user.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+
+@Configuration
+public class FilterConfig extends WebMvcConfigurerAdapter{
+
+	 @Override
+	    public void addCorsMappings(CorsRegistry registry) {
+	        registry.addMapping("/**");
+	    }
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/config/PasswordEncoderConfig.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/config/PasswordEncoderConfig.java
new file mode 100644
index 0000000..a92dea4
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/config/PasswordEncoderConfig.java
@@ -0,0 +1,30 @@
+package com.supwisdom.leaveschool.user.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class PasswordEncoderConfig {
+  
+  private static final Logger logger = LoggerFactory.getLogger(PasswordEncoderConfig.class);
+  
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    
+    PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
+
+    if (passwordEncoder instanceof DelegatingPasswordEncoder) {
+      ((DelegatingPasswordEncoder)passwordEncoder).setDefaultPasswordEncoderForMatches(NoOpPasswordEncoder.getInstance());
+    }
+
+    logger.debug("PasswordEncoderConfig passwordEncoder is {}", passwordEncoder);
+    return passwordEncoder;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminGroupController.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminGroupController.java
new file mode 100644
index 0000000..f8ab693
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminGroupController.java
@@ -0,0 +1,194 @@
+package com.supwisdom.leaveschool.user.controller.api.admin;
+
+import java.util.HashMap;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.domain.Page;
+import org.springframework.util.MimeTypeUtils;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.supwisdom.leaveschool.common.controller.api.CrudApiController;
+import com.supwisdom.leaveschool.common.model.PagerRequestModel;
+import com.supwisdom.leaveschool.common.model.PagerResponseModel;
+import com.supwisdom.leaveschool.common.model.SuccessResponseModel;
+import com.supwisdom.leaveschool.user.domain.Group;
+import com.supwisdom.leaveschool.user.domain.GroupRole;
+import com.supwisdom.leaveschool.user.domain.UserGroup;
+import com.supwisdom.leaveschool.user.model.GroupRoles;
+import com.supwisdom.leaveschool.user.model.UserGroups;
+import com.supwisdom.leaveschool.user.repository.GroupRepository;
+import com.supwisdom.leaveschool.user.repository.GroupRoleRepository;
+import com.supwisdom.leaveschool.user.repository.UserGroupRepository;
+
+@RestController
+@RequestMapping("/api/v1/admin/groups")
+public class Api1AdminGroupController extends CrudApiController<Group, GroupRepository> {
+
+  @Autowired
+  private GroupRepository groupRepository;
+
+  @Autowired
+  private UserGroupRepository userGroupRepository;
+
+  @Autowired
+  private GroupRoleRepository groupRoleRepository;
+
+  @Override
+  protected GroupRepository getRepository() {
+    return groupRepository;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/users'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/users?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/users?pageIndex=0&pageSize=20&mapBean[userUsername]=userUsername&mapBean[userName]=userName'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/users", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<UserGroup> groupUsers(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Group group = groupRepository.selectById(id);
+
+    if (group == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("groupId", group.getId());
+
+    Page<UserGroup> page = userGroupRepository.selectUserGroups(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<UserGroup> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/users' \
+   * -d '{"groupUsers":[{"userId":"1"},{"userId":"2"}]}'
+   * 
+   * 
+   * @param id
+   * @param groupUsers
+   * @return
+   */
+  @RequestMapping(value = "/{id}/users", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relateUsers(@PathVariable("id") String id, @RequestBody UserGroups groupUsers) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Group group = groupRepository.selectById(id);
+
+    if (group == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    userGroupRepository.relateGroupUsers(group, groupUsers.getUserGroups());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/roles'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/roles?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/roles?pageIndex=0&pageSize=20&mapBean[rolecode]=code&mapBean[rolename]=name'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/roles", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<GroupRole> groupRoles(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Group group = groupRepository.selectById(id);
+
+    if (group == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("groupId", group.getId());
+
+    Page<GroupRole> page = groupRoleRepository.selectGroupRoles(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<GroupRole> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/groups/1/roles' \
+   * -d '{"groupRoles":[{"roleId":"1"},{"roleId":"2"}]}'
+   * 
+   * 
+   * @param id
+   * @param groupUsers
+   * @return
+   */
+  @RequestMapping(value = "/{id}/roles", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relateRoles(@PathVariable("id") String id, @RequestBody GroupRoles groupRoles) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Group group = groupRepository.selectById(id);
+
+    if (group == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    groupRoleRepository.relateGroupRoles(group, groupRoles.getGroupRoles());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminPermissionController.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminPermissionController.java
new file mode 100644
index 0000000..69f64c8
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminPermissionController.java
@@ -0,0 +1,114 @@
+package com.supwisdom.leaveschool.user.controller.api.admin;
+
+import java.util.HashMap;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.domain.Page;
+import org.springframework.util.MimeTypeUtils;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.supwisdom.leaveschool.common.controller.api.CrudApiController;
+import com.supwisdom.leaveschool.common.model.PagerRequestModel;
+import com.supwisdom.leaveschool.common.model.PagerResponseModel;
+import com.supwisdom.leaveschool.common.model.SuccessResponseModel;
+import com.supwisdom.leaveschool.user.domain.Permission;
+import com.supwisdom.leaveschool.user.domain.RolePermission;
+import com.supwisdom.leaveschool.user.model.RolePermissions;
+import com.supwisdom.leaveschool.user.repository.PermissionRepository;
+import com.supwisdom.leaveschool.user.repository.RolePermissionRepository;
+
+@RestController
+@RequestMapping("/api/v1/admin/permissions")
+public class Api1AdminPermissionController extends CrudApiController<Permission, PermissionRepository> {
+
+  @Autowired
+  private PermissionRepository permissionRepository;
+
+  @Autowired
+  private RolePermissionRepository permissionRoleRepository;
+
+  @Override
+  protected PermissionRepository getRepository() {
+    return permissionRepository;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/permissions/1/roles'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/permissions/1/roles?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/permissions/1/roles?pageIndex=0&pageSize=20&mapBean[roleCode]=roleCode&mapBean[roleName]=roleName'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/roles", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<RolePermission> permissionRoles(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Permission permission = permissionRepository.selectById(id);
+
+    if (permission == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("permissionId", permission.getId());
+
+    Page<RolePermission> page = permissionRoleRepository.selectRolePermissions(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<RolePermission> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/permissions/1/roles' \
+   * -d '{"rolePermissions":[{"roleId":"1"},{"roleId":"2"}]}'
+   * 
+   * 
+   * @param id
+   * @param permissionUsers
+   * @return
+   */
+  @RequestMapping(value = "/{id}/roles", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relateRoles(@PathVariable("id") String id, @RequestBody RolePermissions rolePermissions) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Permission permission = permissionRepository.selectById(id);
+
+    if (permission == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    permissionRoleRepository.relatePermissionRoles(permission, rolePermissions.getRolePermissions());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminRoleController.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminRoleController.java
new file mode 100644
index 0000000..cbd6845
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminRoleController.java
@@ -0,0 +1,279 @@
+package com.supwisdom.leaveschool.user.controller.api.admin;
+
+import java.util.HashMap;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.domain.Page;
+import org.springframework.util.MimeTypeUtils;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.supwisdom.leaveschool.common.controller.api.CrudApiController;
+import com.supwisdom.leaveschool.common.model.PagerRequestModel;
+import com.supwisdom.leaveschool.common.model.PagerResponseModel;
+import com.supwisdom.leaveschool.common.model.SuccessResponseModel;
+import com.supwisdom.leaveschool.user.domain.GroupRole;
+import com.supwisdom.leaveschool.user.domain.Role;
+import com.supwisdom.leaveschool.user.domain.RolePermission;
+import com.supwisdom.leaveschool.user.domain.UserRole;
+import com.supwisdom.leaveschool.user.model.GroupRoles;
+import com.supwisdom.leaveschool.user.model.RolePermissions;
+import com.supwisdom.leaveschool.user.model.UserRoles;
+import com.supwisdom.leaveschool.user.repository.GroupRoleRepository;
+import com.supwisdom.leaveschool.user.repository.RolePermissionRepository;
+import com.supwisdom.leaveschool.user.repository.RoleRepository;
+import com.supwisdom.leaveschool.user.repository.UserRoleRepository;
+
+@RestController
+@RequestMapping("/api/v1/admin/roles")
+public class Api1AdminRoleController extends CrudApiController<Role, RoleRepository> {
+
+  @Autowired
+  private RoleRepository roleRepository;
+
+  @Override
+  protected RoleRepository getRepository() {
+    return roleRepository;
+  }
+
+  @Autowired
+  private UserRoleRepository userRoleRepository;
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/users'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/users?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/users?pageIndex=0&pageSize=20&mapBean[userName]=userName'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/users", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<UserRole> roleUsers(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Role role = roleRepository.selectById(id);
+
+    if (role == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("roleId", role.getId());
+
+    Page<UserRole> page = userRoleRepository.selectUserRoles(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<UserRole> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/users' \
+   * -d '{"userRoles":[{"userId":"test001"},{"userId":"test002"}]}'
+   * 
+   * 
+   * @param id
+   * @param userRoles
+   * @return
+   */
+  @RequestMapping(value = "/{id}/users", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relateUsers(@PathVariable("id") String id, @RequestBody UserRoles userRoles) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Role role = roleRepository.selectById(id);
+
+    if (role == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    userRoleRepository.relateRoleUsers(role, userRoles.getUserRoles());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+  
+  
+
+  @Autowired
+  private GroupRoleRepository groupRoleRepository;
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/groups'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/groups?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/groups?pageIndex=0&pageSize=20&mapBean[groupName]=groupName'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/groups", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<GroupRole> roleGroups(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Role role = roleRepository.selectById(id);
+
+    if (role == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("roleId", role.getId());
+
+    Page<GroupRole> page = groupRoleRepository.selectGroupRoles(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<GroupRole> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/groups' \
+   * -d '{"userRoles":[{"groupId":"1"},{"groupId":"2"}]}'
+   * 
+   * 
+   * @param id
+   * @param groupRoles
+   * @return
+   */
+  @RequestMapping(value = "/{id}/groups", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relateGroups(@PathVariable("id") String id, @RequestBody GroupRoles groupRoles) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Role role = roleRepository.selectById(id);
+
+    if (role == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    groupRoleRepository.relateRoleGroups(role, groupRoles.getGroupRoles());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+
+
+  @Autowired
+  private RolePermissionRepository rolePermissionRepository;
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/permissions'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/permissions?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/permissions?pageIndex=0&pageSize=20&mapBean[permissionCode]=permissionCode'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/permissions", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<RolePermission> rolePermissions(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Role role = roleRepository.selectById(id);
+
+    if (role == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("roleId", role.getId());
+
+    Page<RolePermission> page = rolePermissionRepository.selectRolePermissions(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<RolePermission> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/roles/1/permissons' \
+   * -d '{"userRoles":[{"permissionId":"1"},{"permissionId":"2"}]}'
+   * 
+   * 
+   * @param id
+   * @param groupRoles
+   * @return
+   */
+  @RequestMapping(value = "/{id}/permissons", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relatePermissions(@PathVariable("id") String id, @RequestBody RolePermissions rolePermissions) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    Role role = roleRepository.selectById(id);
+
+    if (role == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    rolePermissionRepository.relateRolePermissions(role, rolePermissions.getRolePermissions());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminUserController.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminUserController.java
new file mode 100644
index 0000000..7b53c29
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminUserController.java
@@ -0,0 +1,568 @@
+package com.supwisdom.leaveschool.user.controller.api.admin;
+
+import java.util.HashMap;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.domain.Page;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.util.MimeTypeUtils;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.supwisdom.leaveschool.common.controller.api.CrudApiController;
+import com.supwisdom.leaveschool.common.model.PagerRequestModel;
+import com.supwisdom.leaveschool.common.model.PagerResponseModel;
+import com.supwisdom.leaveschool.common.model.SuccessResponseModel;
+import com.supwisdom.leaveschool.common.util.DomainUtils;
+import com.supwisdom.leaveschool.user.domain.UserGroup;
+import com.supwisdom.leaveschool.user.domain.User;
+import com.supwisdom.leaveschool.user.domain.UserRole;
+import com.supwisdom.leaveschool.user.model.UserGroups;
+import com.supwisdom.leaveschool.user.model.UserRoles;
+import com.supwisdom.leaveschool.user.repository.UserGroupRepository;
+import com.supwisdom.leaveschool.user.repository.UserRepository;
+import com.supwisdom.leaveschool.user.repository.UserRoleRepository;
+
+@RestController
+@RequestMapping("/api/v1/admin/users")
+public class Api1AdminUserController extends CrudApiController<User, UserRepository> {
+
+  @Autowired
+  private UserRepository userRepository;
+
+  @Autowired
+  private UserGroupRepository userGroupRepository;
+
+  @Autowired
+  private UserRoleRepository userRoleRepository;
+  
+  @Autowired
+  private PasswordEncoder passwordEncoder;
+
+  @Override
+  protected UserRepository getRepository() {
+
+    return userRepository;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users?pageIndex=0&pageSize=20&mapBean[username]=username&mapBean[name]=name&mapBean[status]=1'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users?pageIndex=0&pageSize=20&mapBean[username]=username&mapBean[name]=name&mapBean[status]=0'
+   * 
+   * response success:
+   * 
+   * <pre>
+   * {
+   *   "pageIndex":0,
+   *   "pageSize":20,
+   *   "mapBean":null,
+   *   "pageCount":1,
+   *   "recordCount":1,
+   *   "items":[
+   *     {
+   *       "id":"ff80808164feb8990164feba0de50000",
+   *       "companyId":"1",
+   *       "deleted":false,
+   *       "addAccount":"user","addTime":"2018-08-03T07:39:23.000+0000",
+   *       "editAccount":null,"editTime":null,
+   *       "deleteAccount":null,"deleteTime":null,
+   *       "username":"test001",
+   *       "password":"test001",
+   *       "enabled":true,
+   *       "accountNonExpired":true,
+   *       "accountNonLocked":true,
+   *       "credentialsNonExpired":true,
+   *       "name":"测试001",
+   *       "status":"1",
+   *       "mobile":null,
+   *       "email":null
+   *     }
+   *   ]
+   * }
+   * </pre>
+   * 
+   * response error 401:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T08:48:25.777+0000",
+   *   "status":401,
+   *   "error":"Http Status 401",
+   *   "message":"Unauthorized",
+   *   "path":"/api/v1/admin/users"
+   * }
+   * </pre>
+   * 
+   * @param pagerRequestModel
+   * @return
+   */
+  @Override
+  @GetMapping(produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseStatus(value = HttpStatus.OK)
+  @ResponseBody
+  public PagerResponseModel<User> list(PagerRequestModel pagerRequestModel) {
+
+    Page<User> page = userRepository.selectPageList(pagerRequestModel.getPageIndex(), pagerRequestModel.getPageSize(),
+        pagerRequestModel.getMapBean());
+
+    PagerResponseModel<User> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setCurrentItemCount(page.getNumberOfElements());
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1'
+   * 
+   * response success:
+   * 
+   * <pre>
+   * {
+   *   "id":"ff80808164feb8990164feba0de50000",
+   *   "companyId":"1",
+   *   "deleted":false,
+   *   "addAccount":"user","addTime":"2018-08-03T07:39:23.000+0000",
+   *   "editAccount":null,"editTime":null,
+   *   "deleteAccount":null,"deleteTime":null,
+   *   "username":"test001",
+   *   "password":"test001",
+   *   "enabled":true,
+   *   "accountNonExpired":true,
+   *   "accountNonLocked":true,
+   *   "credentialsNonExpired":true,
+   *   "name":"测试001",
+   *   "status":"1",
+   *   "mobile":null,
+   *   "email":null
+   * }
+   * </pre>
+   * 
+   * response error 401:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T08:43:26.080+0000",
+   *   "status":401,
+   *   "error":"Http Status 401",
+   *   "message":"Unauthorized",
+   *   "path":"/api/v1/admin/users/ff80808164fecf640164fed269480000"
+   * }
+   * </pre>
+   * 
+   * response error 500:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T07:44:07.963+0000",
+   *   "status":500,
+   *   "error":"Internal Server Error",
+   *   "exception":"java.lang.RuntimeException",
+   *   "message":"exception.get.domain.not.exist",
+   *   "path":"/api/v1/admin/users/1"
+   * }
+   * </pre>
+   * 
+   * @param id
+   * @return
+   */
+  @Override
+  @GetMapping(path = "/{id}", produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseStatus(value = HttpStatus.OK)
+  @ResponseBody
+  public User get(@PathVariable("id") String id) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    User user = userRepository.selectById(id);
+
+    if (user == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    return user;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users' \
+   * -d '{"username":"test001","password":"test001","enabled":true,"accountNonExpired":true,"accountNonLocked":true,"credentialsNonExpired":true,"name":"测试001","status":"1"}'
+   * 
+   * response success:
+   * 
+   * <pre>
+   * {
+   *   "success":"info.create.success"
+   * }
+   * </pre>
+   * 
+   * response error 401:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T08:48:25.777+0000",
+   *   "status":401,
+   *   "error":"Http Status 401",
+   *   "message":"Unauthorized",
+   *   "path":"/api/v1/admin/users"
+   * }
+   * </pre>
+   * 
+   * response error: // FIXME: save error
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T07:45:43.436+0000",
+   *   "status":500,
+   *   "error":"Internal Server Error",
+   *   "exception":"org.springframework.dao.DataIntegrityViolationException",
+   *   "message":"could not execute statement; SQL [n/a]; constraint [null]; nested exception is org.hibernate.exception.ConstraintViolationException: could not execute statement",
+   *   "path":"/api/v1/admin/users"
+   * }
+   * </pre>
+   * 
+   * @param user
+   * @return
+   */
+  @Override
+  @PostMapping(consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseStatus(value = HttpStatus.OK)
+  @ResponseBody
+  public SuccessResponseModel create(@RequestBody User user) {
+    
+    // FIXME: 验证数据有效性
+    
+    if (user.getPassword() !=null && user.getPassword().length() > 0 && !user.getPassword().startsWith("{")) {
+      user.setPassword(passwordEncoder.encode(user.getPassword()));
+    }
+
+    @SuppressWarnings("unused")
+    User ret = userRepository.insert(user);
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.create.success");
+
+    return res;
+  }
+
+  /**
+   * 
+   * curl -i -s -X PUT -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users' \
+   * -d '{"id":"1","status":"0"}'
+   * 
+   * response success:
+   * 
+   * <pre>
+   * {
+   *   "success":"info.update.success"
+   * }
+   * </pre>
+   * 
+   * response error 401:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T08:48:25.777+0000",
+   *   "status":401,
+   *   "error":"Http Status 401",
+   *   "message":"Unauthorized",
+   *   "path":"/api/v1/admin/users"
+   * }
+   * </pre>
+   * 
+   * curl -i -s -X PUT -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users' \
+   * -d '{"status":"0"}'
+   * 
+   * response error:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T07:50:52.327+0000",
+   *   "status":500,
+   *   "error":"Internal Server Error",
+   *   "exception":"java.lang.RuntimeException",
+   *   "message":"exception.update.id.must.not.empty",
+   *   "path":"/api/v1/admin/users"
+   * }
+   * </pre>
+   * 
+   * curl -i -s -X PUT -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users' \
+   * -d '{"id":"1","status":"0"}'
+   * 
+   * response error:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T07:48:24.774+0000",
+   *   "status":500,
+   *   "error":"Internal Server Error",
+   *   "exception":"java.lang.RuntimeException",
+   *   "message":"exception.update.domain.not.exist",
+   *   "path":"/api/v1/admin/users"
+   * }
+   * </pre>
+   * 
+   * @param user
+   * @return
+   */
+  @Override
+  @PutMapping(consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseStatus(value = HttpStatus.OK)
+  @ResponseBody
+  public SuccessResponseModel update(@RequestBody User user) {
+
+    if (user.getId() == null || user.getId().length() == 0) {
+      throw new RuntimeException("exception.update.id.must.not.empty"); // FIXME: RestException
+    }
+
+    User tmp = userRepository.selectById(user.getId());
+    if (tmp == null) {
+      throw new RuntimeException("exception.update.domain.not.exist"); // FIXME: RestException
+    }
+    
+    if (user.getPassword() !=null && user.getPassword().length() > 0 && !user.getPassword().startsWith("{")) {
+      user.setPassword(passwordEncoder.encode(user.getPassword()));
+    }
+
+    tmp = DomainUtils.merge(user, tmp);
+
+    @SuppressWarnings("unused")
+    User ret = userRepository.update(tmp);
+    userRepository.flush();
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.update.success");
+
+    return res;
+  }
+
+  /**
+   * 
+   * curl -i -s -X DELETE -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1'
+   * 
+   * response success:
+   * 
+   * <pre>
+   * {
+   *   "success":"info.delete.success"
+   * }
+   * </pre>
+   * 
+   * response error 401:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T08:48:25.777+0000",
+   *   "status":401,
+   *   "error":"Http Status 401",
+   *   "message":"Unauthorized",
+   *   "path":"/api/v1/admin/users/1"
+   * }
+   * </pre>
+   * 
+   * response error 500:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T08:03:16.364+0000",
+   *   "status":500,
+   *   "error":"Internal Server Error",
+   *   "exception":"java.lang.RuntimeException",
+   *   "message":"exception.delete.domain.not.exist",
+   *   "path":"/api/v1/admin/users/1"
+   * }
+   * </pre>
+   * 
+   * @param id
+   * @return
+   */
+  @Override
+  @DeleteMapping(path = "/{id}", produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseStatus(value = HttpStatus.OK)
+  @ResponseBody
+  public SuccessResponseModel delete(@PathVariable("id") String id) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.delete.id.must.not.empty"); // FIXME: RestException
+    }
+
+    User tmp = userRepository.selectById(id);
+    if (tmp == null) {
+      throw new RuntimeException("exception.delete.domain.not.exist"); // FIXME: RestException
+    }
+
+    userRepository.delete(tmp);
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.delete.success");
+
+    return res;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/groups'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/groups?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/groups?pageIndex=0&pageSize=20&mapBean[groupCode]=groupCode&mapBean[groupName]=groupName'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/groups", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<UserGroup> userGroups(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    User user = userRepository.selectById(id);
+
+    if (user == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("userId", user.getId());
+
+    Page<UserGroup> page = userGroupRepository.selectUserGroups(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<UserGroup> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/groups' \
+   * -d '{"groupUsers":[{"groupId":"1"},{"groupId":"2"}]}'
+   * 
+   * 
+   * @param id
+   * @param userUsers
+   * @return
+   */
+  @RequestMapping(value = "/{id}/groups", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relateGroups(@PathVariable("id") String id, @RequestBody UserGroups groupUsers) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    User user = userRepository.selectById(id);
+
+    if (user == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    userGroupRepository.relateUserGroups(user, groupUsers.getUserGroups());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/roles'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/roles?pageIndex=2&pageSize=50'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/roles?pageIndex=0&pageSize=20&mapBean[roleCode]=roleCode&mapBean[roleName]=roleName'
+   * 
+   * 
+   * 
+   * @param id
+   * @param pagerRequestModel
+   * @return
+   */
+  @RequestMapping(value = "/{id}/roles", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public PagerResponseModel<UserRole> userRoles(@PathVariable("id") String id, PagerRequestModel pagerRequestModel) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    User user = userRepository.selectById(id);
+
+    if (user == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    if (pagerRequestModel.getMapBean() == null) {
+      pagerRequestModel.setMapBean(new HashMap<String, Object>());
+    }
+    pagerRequestModel.getMapBean().put("userId", user.getId());
+
+    Page<UserRole> page = userRoleRepository.selectUserRoles(pagerRequestModel.getPageIndex(),
+        pagerRequestModel.getPageSize(), pagerRequestModel.getMapBean());
+
+    PagerResponseModel<UserRole> pagerResponseModel = PagerResponseModel.of(pagerRequestModel);
+    pagerResponseModel.setPageCount(page.getTotalPages());
+    pagerResponseModel.setRecordCount(page.getTotalElements());
+    pagerResponseModel.setItems(page.getContent());
+
+    return pagerResponseModel;
+  }
+
+  /**
+   * 
+   * curl -i -s -X POST -H 'Content-Type:application/json' -H 'Accept:application/json' 'http://localhost:10010/api/v1/admin/users/1/roles' \
+   * -d '{"userRoles":[{"roleId":"1"},{"roleId":"2"}]}'
+   * 
+   * 
+   * @param id
+   * @param userUsers
+   * @return
+   */
+  @RequestMapping(value = "/{id}/roles", method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public SuccessResponseModel relateRoles(@PathVariable("id") String id, @RequestBody UserRoles userRoles) {
+
+    if (id == null || id.length() == 0) {
+      throw new RuntimeException("exception.get.id.must.not.empty"); // FIXME: RestException
+    }
+
+    User user = userRepository.selectById(id);
+
+    if (user == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+
+    userRoleRepository.relateUserRoles(user, userRoles.getUserRoles());
+
+    SuccessResponseModel res = new SuccessResponseModel();
+    res.setSuccess("info.set.success");
+
+    return res;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/demo/ApiDemoUserController.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/demo/ApiDemoUserController.java
new file mode 100644
index 0000000..8d776f4
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/demo/ApiDemoUserController.java
@@ -0,0 +1,34 @@
+package com.supwisdom.leaveschool.user.controller.api.demo;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.util.MimeTypeUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/api/demo/users")
+public class ApiDemoUserController {
+  
+  private static final Logger logger = LoggerFactory.getLogger(ApiDemoUserController.class);
+
+  /**
+   * curl -i -s -X GET -H 'Remote_User:admin' -H 'Accept:application/json' 'http://localhost:10010/api/demo/users/greeting/abc'
+   *
+   * @param name
+   * @return
+   */
+  @GetMapping(path = "/greeting/{name}", produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  public Map<String, Object> greeting(@PathVariable("name") String name) {
+    logger.debug(name);
+    Map<String, Object> result = new HashMap<String, Object>();
+    result.put("message", "Good " + name);
+    return result;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/security/Api1SecurityUserController.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/security/Api1SecurityUserController.java
new file mode 100644
index 0000000..ba76b0b
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/security/Api1SecurityUserController.java
@@ -0,0 +1,185 @@
+package com.supwisdom.leaveschool.user.controller.api.security;
+
+import java.util.List;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.util.MimeTypeUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.supwisdom.leaveschool.user.domain.Permission;
+import com.supwisdom.leaveschool.user.domain.Role;
+import com.supwisdom.leaveschool.user.domain.User;
+import com.supwisdom.leaveschool.user.model.SecurityUser;
+import com.supwisdom.leaveschool.user.repository.PermissionRepository;
+import com.supwisdom.leaveschool.user.repository.RoleRepository;
+import com.supwisdom.leaveschool.user.repository.UserRepository;
+
+@RestController
+@RequestMapping("/api/v1/security/users")
+public class Api1SecurityUserController {
+
+  @Autowired
+  private UserRepository userRepository;
+
+  @Autowired
+  private RoleRepository roleRepository;
+
+  @Autowired
+  private PermissionRepository permissionRepository;
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/security/users/test001'
+   * 
+   * response success:
+   * 
+   * <pre>
+   * {
+   *   "user":{
+   *     "id":"ff80808164feb8990164feba0de50000",
+   *     "companyId":"1",
+   *     "deleted":false,
+   *     "addAccount":"user","addTime":"2018-08-03T07:39:23.000+0000",
+   *     "editAccount":null,"editTime":null,
+   *     "deleteAccount":null,"deleteTime":null,
+   *     "username":"test001",
+   *     "password":"test001",
+   *     "enabled":true,
+   *     "accountNonExpired":true,
+   *     "accountNonLocked":true,
+   *     "credentialsNonExpired":true,
+   *     "name":"测试001",
+   *     "status":"1",
+   *     "mobile":null,
+   *     "email":null
+   *   },
+   *   "roles":[],
+   *   "permissions":null
+   * }
+   * </pre>
+   * 
+   * response error 500:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T07:44:07.963+0000",
+   *   "status":500,
+   *   "error":"Internal Server Error",
+   *   "exception":"java.lang.RuntimeException",
+   *   "message":"exception.get.domain.not.exist",
+   *   "path":"/api/v1/security/users/test000"
+   * }
+   * </pre>
+   * 
+   */
+  @GetMapping(path = "/{username}", produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseStatus(value = HttpStatus.OK)
+  @ResponseBody
+  public SecurityUser loadUserByUsername(@PathVariable("username") String username) {
+    
+    if (username == null || username.length() == 0) {
+      throw new RuntimeException("exception.get.username.must.not.empty"); // FIXME: RestException
+    }
+
+    User user = userRepository.selectByUsername(username);
+
+    if (user == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+    
+    List<Role> roles = roleRepository.selectByUsername(username);
+    
+    SecurityUser securityUser = new SecurityUser();
+    securityUser.setUser(user);
+    securityUser.setRoles(roles);
+
+    return securityUser;
+  }
+
+  /**
+   * 
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/security/users/test001/app001'
+   * curl -i -s -X GET -H 'Accept:application/json' 'http://localhost:10010/api/v1/security/users/test001/app001?type=2'
+   * 
+   * response success:
+   * 
+   * <pre>
+   * {
+   *   "user":{
+   *     "id":"ff80808164feb8990164feba0de50000",
+   *     "companyId":"1",
+   *     "deleted":false,
+   *     "addAccount":"user","addTime":"2018-08-03T07:39:23.000+0000",
+   *     "editAccount":null,"editTime":null,
+   *     "deleteAccount":null,"deleteTime":null,
+   *     "username":"test001",
+   *     "password":"test001",
+   *     "enabled":true,
+   *     "accountNonExpired":true,
+   *     "accountNonLocked":true,
+   *     "credentialsNonExpired":true,
+   *     "name":"测试001",
+   *     "status":"1",
+   *     "mobile":null,
+   *     "email":null
+   *   },
+   *   "roles":[],
+   *   "permissions":[]
+   * }
+   * </pre>
+   * 
+   * response error 500:
+   * 
+   * <pre>
+   * {
+   *   "timestamp":"2018-08-03T07:44:07.963+0000",
+   *   "status":500,
+   *   "error":"Internal Server Error",
+   *   "exception":"java.lang.RuntimeException",
+   *   "message":"exception.get.domain.not.exist",
+   *   "path":"/api/v1/security/users/test000/app001"
+   * }
+   * </pre>
+   * 
+   * @param username
+   * @param applicationCode
+   * @param type 权限类型，1 应用，2 页面，3 操作
+   * @return
+   */
+  @GetMapping(path = "/{username}/{applicationCode}", produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
+  @ResponseStatus(value = HttpStatus.OK)
+  @ResponseBody
+  public SecurityUser loadPermissionsByUsernameAppcode(
+      @PathVariable("username") String username, 
+      @PathVariable("applicationCode") String applicationCode, 
+      @RequestParam(value = "type", required = false) String type) {
+    
+    if (username == null || username.length() == 0) {
+      throw new RuntimeException("exception.get.username.must.not.empty"); // FIXME: RestException
+    }
+
+    User user = userRepository.selectByUsername(username);
+
+    if (user == null) {
+      throw new RuntimeException("exception.get.domain.not.exist"); // FIXME: RestException
+    }
+    
+    List<Role> roles = roleRepository.selectByUsername(username);
+    
+    List<Permission> permissions = permissionRepository.selectByUsername(username, applicationCode, type);
+    
+    SecurityUser securityUser = new SecurityUser();
+    securityUser.setUser(user);
+    securityUser.setRoles(roles);
+    securityUser.setPermissions(permissions);
+    
+    return securityUser;
+  }
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Group.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Group.java
new file mode 100644
index 0000000..cc3a73d
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Group.java
@@ -0,0 +1,74 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity(name = "Group_")
+@Table(name = "TB_U_GROUP")
+public class Group extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 4260326816456622523L;
+
+  /**
+   * 代码
+   */
+  @Column(name = "CODE")
+  private String code;
+
+  /**
+   * 名称
+   */
+  @Column(name = "NAME")
+  private String name;
+
+  /**
+   * 备注
+   */
+  @Column(name = "MEMO")
+  private String memo;
+
+  /**
+   * 状态（1 启用，0 停用）
+   */
+  @Column(name = "STATUS")
+  private String status;
+
+  public String getCode() {
+    return code;
+  }
+
+  public void setCode(String code) {
+    this.code = code;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public String getMemo() {
+    return memo;
+  }
+
+  public void setMemo(String memo) {
+    this.memo = memo;
+  }
+
+  public String getStatus() {
+    return status;
+  }
+
+  public void setStatus(String status) {
+    this.status = status;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/GroupRole.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/GroupRole.java
new file mode 100644
index 0000000..a2f4ac1
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/GroupRole.java
@@ -0,0 +1,46 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity
+@Table(name = "TB_U_GROUP_ROLE")
+public class GroupRole extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = -3141266845902556712L;
+
+  /**
+   * 用户组ID
+   */
+  @Column(name = "GROUP_ID")
+  private String groupId;
+
+  /**
+   * 角色ID
+   */
+  @Column(name = "ROLE_ID")
+  private String roleId;
+
+  public String getGroupId() {
+    return groupId;
+  }
+
+  public void setGroupId(String groupId) {
+    this.groupId = groupId;
+  }
+
+  public String getRoleId() {
+    return roleId;
+  }
+
+  public void setRoleId(String roleId) {
+    this.roleId = roleId;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Permission.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Permission.java
new file mode 100644
index 0000000..30911e8
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Permission.java
@@ -0,0 +1,172 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity
+@Table(name = "TB_U_PERMISSION")
+public class Permission extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = -8834200833972243635L;
+
+  /**
+   * 代码
+   */
+  @Column(name = "CODE")
+  private String code;
+
+  /**
+   * 名称
+   */
+  @Column(name = "NAME")
+  private String name;
+
+  /**
+   * 备注
+   */
+  @Column(name = "MEMO")
+  private String memo;
+
+  /**
+   * 状态（1 启用，0 停用）
+   */
+  @Column(name = "STATUS")
+  private String status;
+
+  /**
+   * 类型（1 应用，2 页面，3 操作）
+   */
+  @Column(name = "TYPE_")
+  private String type;
+
+  /**
+   * URL地址
+   */
+  @Column(name = "URL")
+  private String url;
+
+  /**
+   * 父级ID
+   */
+  @Column(name = "PARENT_ID")
+  private String parentId;
+
+  /**
+   * 排序
+   */
+  @Column(name = "ORDER_")
+  private String order;
+
+  /**
+   * 层次
+   */
+  @Column(name = "LEVEL_")
+  private String level;
+
+  /**
+   * 左序
+   */
+  @Column(name = "LFT")
+  private int lft;
+
+  /**
+   * 右序
+   */
+  @Column(name = "RGT")
+  private int rgt;
+
+  public String getCode() {
+    return code;
+  }
+
+  public void setCode(String code) {
+    this.code = code;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public String getMemo() {
+    return memo;
+  }
+
+  public void setMemo(String memo) {
+    this.memo = memo;
+  }
+
+  public String getStatus() {
+    return status;
+  }
+
+  public void setStatus(String status) {
+    this.status = status;
+  }
+
+  public String getType() {
+    return type;
+  }
+
+  public void setType(String type) {
+    this.type = type;
+  }
+
+  public String getUrl() {
+    return url;
+  }
+
+  public void setUrl(String url) {
+    this.url = url;
+  }
+
+  public String getParentId() {
+    return parentId;
+  }
+
+  public void setParentId(String parentId) {
+    this.parentId = parentId;
+  }
+
+  public String getOrder() {
+    return order;
+  }
+
+  public void setOrder(String order) {
+    this.order = order;
+  }
+
+  public String getLevel() {
+    return level;
+  }
+
+  public void setLevel(String level) {
+    this.level = level;
+  }
+
+  public int getLft() {
+    return lft;
+  }
+
+  public void setLft(int lft) {
+    this.lft = lft;
+  }
+
+  public int getRgt() {
+    return rgt;
+  }
+
+  public void setRgt(int rgt) {
+    this.rgt = rgt;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Role.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Role.java
new file mode 100644
index 0000000..5d2d9fb
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/Role.java
@@ -0,0 +1,74 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity
+@Table(name = "TB_U_ROLE")
+public class Role extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 5470129732727732514L;
+
+  /**
+   * 代码
+   */
+  @Column(name = "CODE")
+  private String code;
+
+  /**
+   * 名称
+   */
+  @Column(name = "NAME")
+  private String name;
+
+  /**
+   * 备注
+   */
+  @Column(name = "MEMO")
+  private String memo;
+
+  /**
+   * 状态（1 启用，0 停用）
+   */
+  @Column(name = "STATUS")
+  private String status;
+
+  public String getCode() {
+    return code;
+  }
+
+  public void setCode(String code) {
+    this.code = code;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public String getMemo() {
+    return memo;
+  }
+
+  public void setMemo(String memo) {
+    this.memo = memo;
+  }
+
+  public String getStatus() {
+    return status;
+  }
+
+  public void setStatus(String status) {
+    this.status = status;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/RolePermission.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/RolePermission.java
new file mode 100644
index 0000000..ab1fd86
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/RolePermission.java
@@ -0,0 +1,46 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity
+@Table(name = "TB_U_ROLE_PERMISSION")
+public class RolePermission extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 5293251541687343949L;
+
+  /**
+   * 角色ID
+   */
+  @Column(name = "ROLE_ID")
+  private String roleId;
+
+  /**
+   * 权限ID
+   */
+  @Column(name = "PERMISSION_ID")
+  private String permissionId;
+
+  public String getRoleId() {
+    return roleId;
+  }
+
+  public void setRoleId(String roleId) {
+    this.roleId = roleId;
+  }
+
+  public String getPermissionId() {
+    return permissionId;
+  }
+
+  public void setPermissionId(String permissionId) {
+    this.permissionId = permissionId;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/User.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/User.java
new file mode 100644
index 0000000..db696e8
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/User.java
@@ -0,0 +1,154 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity
+@Table(name = "TB_U_USER")
+public class User extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 7955624268022038897L;
+
+  /**
+   * 用户名
+   */
+  @Column(name = "USERNAME", unique = true)
+  private String username;
+  
+  /**
+   * 密码
+   */
+  @Column(name = "PASSWORD")
+  private String password;
+
+  /**
+   * 是否可用，1 可用，0 不可用，默认：1
+   */
+  @Column(name = "ENABLED")
+  private Boolean enabled;
+  /**
+   * 账号未过期，1 未过期，0 过期，默认：1
+   */
+  @Column(name = "ACCOUNT_NON_EXPIRED")
+  private Boolean accountNonExpired;
+  /**
+   * 账号未锁定，1 未锁定，0 锁定，默认：1
+   */
+  @Column(name = "ACCOUNT_NON_LOCKED")
+  private Boolean accountNonLocked;
+  /**
+   * 密码未过期，1 未过期，0 过期，默认：1
+   */
+  @Column(name = "CREDENTIALS_NON_EXPIRED")
+  private Boolean credentialsNonExpired;
+
+  /**
+   * 姓名
+   */
+  @Column(name = "NAME")
+  private String name;
+  
+  /**
+   * 状态（1 启用，0 停用）
+   */
+  @Column(name = "STATUS")
+  private String status;
+
+  /**
+   * 登录手机
+   */
+  @Column(name = "MOBILE")
+  private String mobile;
+  /**
+   * 登录邮箱
+   */
+  @Column(name = "EMAIL")
+  private String email;
+
+  public String getUsername() {
+    return username;
+  }
+
+  public void setUsername(String username) {
+    this.username = username;
+  }
+
+  public String getPassword() {
+    return password;
+  }
+
+  public void setPassword(String password) {
+    this.password = password;
+  }
+
+  public Boolean getEnabled() {
+    return enabled;
+  }
+
+  public void setEnabled(Boolean enabled) {
+    this.enabled = enabled;
+  }
+
+  public Boolean getAccountNonExpired() {
+    return accountNonExpired;
+  }
+
+  public void setAccountNonExpired(Boolean accountNonExpired) {
+    this.accountNonExpired = accountNonExpired;
+  }
+
+  public Boolean getAccountNonLocked() {
+    return accountNonLocked;
+  }
+
+  public void setAccountNonLocked(Boolean accountNonLocked) {
+    this.accountNonLocked = accountNonLocked;
+  }
+
+  public Boolean getCredentialsNonExpired() {
+    return credentialsNonExpired;
+  }
+
+  public void setCredentialsNonExpired(Boolean credentialsNonExpired) {
+    this.credentialsNonExpired = credentialsNonExpired;
+  }
+
+  public String getName() {
+    return name;
+  }
+
+  public void setName(String name) {
+    this.name = name;
+  }
+
+  public String getStatus() {
+    return status;
+  }
+
+  public void setStatus(String status) {
+    this.status = status;
+  }
+
+  public String getMobile() {
+    return mobile;
+  }
+
+  public void setMobile(String mobile) {
+    this.mobile = mobile;
+  }
+
+  public String getEmail() {
+    return email;
+  }
+
+  public void setEmail(String email) {
+    this.email = email;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/UserGroup.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/UserGroup.java
new file mode 100644
index 0000000..4911bb7
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/UserGroup.java
@@ -0,0 +1,46 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity
+@Table(name = "TB_U_USER_GROUP")
+public class UserGroup extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = -4239845385965871983L;
+
+  /**
+   * 用户ID
+   */
+  @Column(name = "USER_ID")
+  private String userId;
+
+  /**
+   * 用户组ID
+   */
+  @Column(name = "GROUP_ID")
+  private String groupId;
+
+  public String getUserId() {
+    return userId;
+  }
+
+  public void setUserId(String userId) {
+    this.userId = userId;
+  }
+
+  public String getGroupId() {
+    return groupId;
+  }
+
+  public void setGroupId(String groupId) {
+    this.groupId = groupId;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/UserRole.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/UserRole.java
new file mode 100644
index 0000000..71ae23a
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/domain/UserRole.java
@@ -0,0 +1,46 @@
+package com.supwisdom.leaveschool.user.domain;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+import com.supwisdom.leaveschool.common.domain.ABaseDomain;
+
+@Entity
+@Table(name = "TB_U_USER_ROLE")
+public class UserRole extends ABaseDomain {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = -6158470486381850942L;
+
+  /**
+   * 用户ID
+   */
+  @Column(name = "USER_ID")
+  private String userId;
+
+  /**
+   * 角色ID
+   */
+  @Column(name = "ROLE_ID")
+  private String roleId;
+
+  public String getUserId() {
+    return userId;
+  }
+
+  public void setUserId(String userId) {
+    this.userId = userId;
+  }
+
+  public String getRoleId() {
+    return roleId;
+  }
+
+  public void setRoleId(String roleId) {
+    this.roleId = roleId;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/GroupRoles.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/GroupRoles.java
new file mode 100644
index 0000000..14b8565
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/GroupRoles.java
@@ -0,0 +1,25 @@
+package com.supwisdom.leaveschool.user.model;
+
+import java.io.Serializable;
+import java.util.List;
+
+import com.supwisdom.leaveschool.user.domain.GroupRole;
+
+public class GroupRoles implements Serializable {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = -5839141864223755990L;
+
+  private List<GroupRole> groupRoles;
+
+  public List<GroupRole> getGroupRoles() {
+    return groupRoles;
+  }
+
+  public void setGroupRoles(List<GroupRole> groupRoles) {
+    this.groupRoles = groupRoles;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/RolePermissions.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/RolePermissions.java
new file mode 100644
index 0000000..72cfb4d
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/RolePermissions.java
@@ -0,0 +1,25 @@
+package com.supwisdom.leaveschool.user.model;
+
+import java.io.Serializable;
+import java.util.List;
+
+import com.supwisdom.leaveschool.user.domain.RolePermission;
+
+public class RolePermissions implements Serializable {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = -2452925034310554167L;
+  
+  private List<RolePermission> rolePermissions;
+
+  public List<RolePermission> getRolePermissions() {
+    return rolePermissions;
+  }
+
+  public void setRolePermissions(List<RolePermission> rolePermissions) {
+    this.rolePermissions = rolePermissions;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/SecurityUser.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/SecurityUser.java
new file mode 100644
index 0000000..01611b2
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/SecurityUser.java
@@ -0,0 +1,47 @@
+package com.supwisdom.leaveschool.user.model;
+
+import java.io.Serializable;
+import java.util.List;
+
+import com.supwisdom.leaveschool.user.domain.Permission;
+import com.supwisdom.leaveschool.user.domain.Role;
+import com.supwisdom.leaveschool.user.domain.User;
+
+public class SecurityUser implements Serializable {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = -1068580365294859071L;
+
+  private User user;
+
+  private List<Role> roles;
+
+  private List<Permission> permissions;
+
+  public User getUser() {
+    return user;
+  }
+
+  public void setUser(User user) {
+    this.user = user;
+  }
+
+  public List<Role> getRoles() {
+    return roles;
+  }
+
+  public void setRoles(List<Role> roles) {
+    this.roles = roles;
+  }
+
+  public List<Permission> getPermissions() {
+    return permissions;
+  }
+
+  public void setPermissions(List<Permission> permissions) {
+    this.permissions = permissions;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/UserGroups.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/UserGroups.java
new file mode 100644
index 0000000..8736c15
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/UserGroups.java
@@ -0,0 +1,25 @@
+package com.supwisdom.leaveschool.user.model;
+
+import java.io.Serializable;
+import java.util.List;
+
+import com.supwisdom.leaveschool.user.domain.UserGroup;
+
+public class UserGroups implements Serializable {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 8195230337021165172L;
+
+  private List<UserGroup> userGroups;
+
+  public List<UserGroup> getUserGroups() {
+    return userGroups;
+  }
+
+  public void setUserGroups(List<UserGroup> userGroups) {
+    this.userGroups = userGroups;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/UserRoles.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/UserRoles.java
new file mode 100644
index 0000000..e17bd2f
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/model/UserRoles.java
@@ -0,0 +1,25 @@
+package com.supwisdom.leaveschool.user.model;
+
+import java.io.Serializable;
+import java.util.List;
+
+import com.supwisdom.leaveschool.user.domain.UserRole;
+
+public class UserRoles implements Serializable {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 5444997122746118950L;
+
+  private List<UserRole> userRoles;
+
+  public List<UserRole> getUserRoles() {
+    return userRoles;
+  }
+
+  public void setUserRoles(List<UserRole> userRoles) {
+    this.userRoles = userRoles;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/GroupRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/GroupRepository.java
new file mode 100644
index 0000000..14f3ea5
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/GroupRepository.java
@@ -0,0 +1,41 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.Map;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.Group;
+
+@Repository
+public interface GroupRepository extends BaseJpaRepository<Group> {
+
+  public default Page<Group> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+    Group probe = new Group();
+    if (mapBean != null) {
+      probe.setCode(MapBeanUtils.getString(mapBean, "code"));
+      probe.setName(MapBeanUtils.getString(mapBean, "name"));
+      probe.setMemo(MapBeanUtils.getString(mapBean, "memo"));
+      probe.setStatus(MapBeanUtils.getString(mapBean, "status"));
+    }
+    
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("code", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("name", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("memo", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("status", ExampleMatcher.GenericPropertyMatchers.exact());
+    
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+    Example<Group> example = Example.of(probe, matcher);
+    
+    Page<Group> page = this.findAll(example, pageRequest);
+    
+    return page;
+  }
+  
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/GroupRoleRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/GroupRoleRepository.java
new file mode 100644
index 0000000..253f4fe
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/GroupRoleRepository.java
@@ -0,0 +1,149 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.Group;
+import com.supwisdom.leaveschool.user.domain.GroupRole;
+import com.supwisdom.leaveschool.user.domain.Role;
+
+@Repository
+public interface GroupRoleRepository extends BaseJpaRepository<GroupRole> {
+
+  public default Page<GroupRole> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+    GroupRole probe = new GroupRole();
+    if (mapBean != null) {
+      probe.setGroupId(MapBeanUtils.getString(mapBean, "groupId"));
+      probe.setRoleId(MapBeanUtils.getString(mapBean, "roleId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("groupId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+    Example<GroupRole> example = Example.of(probe, matcher);
+
+    Page<GroupRole> page = this.findAll(example, pageRequest);
+
+    return page;
+  }
+
+  public default Page<GroupRole> selectGroupRoles(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+
+    GroupRole probe = new GroupRole();
+    if (mapBean != null) {
+      probe.setGroupId(MapBeanUtils.getString(mapBean, "groupId"));
+      probe.setRoleId(MapBeanUtils.getString(mapBean, "roleId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("groupId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<GroupRole> example = Example.of(probe, matcher);
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+
+    Page<GroupRole> page = this.findAll(example, pageRequest);  // FIXME: 多表关联查询
+
+    return page;
+  }
+
+  public default void relateGroupRoles(Group group, List<GroupRole> groupRoles) {
+
+    List<GroupRole> existGroupRoles = this.selectListByGroupId(group.getId());
+
+    Map<String, GroupRole> existMapGroupRoles = new LinkedHashMap<String, GroupRole>();
+    for (GroupRole groupRole : existGroupRoles) {
+      String k = String.format("%s", groupRole.getRoleId());
+      existMapGroupRoles.put(k, groupRole);
+    }
+
+    for (GroupRole groupRole : groupRoles) {
+      String k = String.format("%s", groupRole.getRoleId());
+
+      if (existMapGroupRoles.containsKey(k)) {
+        existMapGroupRoles.remove(k);
+      } else {
+        groupRole.setCompanyId(group.getCompanyId());
+        groupRole.setGroupId(group.getId());
+
+        this.insert(groupRole);
+      }
+    }
+
+    for (GroupRole groupRole : existMapGroupRoles.values()) {
+      this.deleteById(groupRole.getId());
+    }
+  }
+
+  public default List<GroupRole> selectListByGroupId(String groupId) {
+
+    GroupRole probe = new GroupRole();
+    probe.setGroupId(groupId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching().withMatcher("groupId",
+        ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<GroupRole> example = Example.of(probe, matcher);
+
+    List<GroupRole> groupRoles = this.findAll(example);
+
+    return groupRoles;
+  }
+
+
+  public default void relateRoleGroups(Role role, List<GroupRole> groupRoles) {
+
+    List<GroupRole> existRoleGroups = this.selectListByRoleId(role.getCode());
+
+    Map<String, GroupRole> existMapRoleGroups = new LinkedHashMap<String, GroupRole>();
+    for (GroupRole groupRole : existRoleGroups) {
+      String k = String.format("%s", groupRole.getGroupId());
+      existMapRoleGroups.put(k, groupRole);
+    }
+
+    for (GroupRole groupRole : groupRoles) {
+      String k = String.format("%s", groupRole.getGroupId());
+
+      if (existMapRoleGroups.containsKey(k)) {
+        existMapRoleGroups.remove(k);
+      } else {
+        groupRole.setCompanyId(role.getCompanyId());
+        groupRole.setRoleId(role.getId());
+
+        this.insert(groupRole);
+      }
+    }
+
+    for (GroupRole groupRole : existMapRoleGroups.values()) {
+      this.deleteById(groupRole.getId());
+    }
+  }
+
+  public default List<GroupRole> selectListByRoleId(String roleId) {
+
+    GroupRole probe = new GroupRole();
+    probe.setRoleId(roleId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<GroupRole> example = Example.of(probe, matcher);
+
+    List<GroupRole> groupRoles = this.findAll(example);
+
+    return groupRoles;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/PermissionRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/PermissionRepository.java
new file mode 100644
index 0000000..49825f6
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/PermissionRepository.java
@@ -0,0 +1,114 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.Permission;
+
+@Repository
+public interface PermissionRepository extends BaseJpaRepository<Permission> {
+
+  public default Page<Permission> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+    Permission probe = new Permission();
+    if (mapBean != null) {
+      probe.setCode(MapBeanUtils.getString(mapBean, "code"));
+      probe.setName(MapBeanUtils.getString(mapBean, "name"));
+      probe.setMemo(MapBeanUtils.getString(mapBean, "memo"));
+      probe.setStatus(MapBeanUtils.getString(mapBean, "status"));
+    }
+    
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("code", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("name", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("memo", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("status", ExampleMatcher.GenericPropertyMatchers.exact());
+    
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+    Example<Permission> example = Example.of(probe, matcher);
+    
+    Page<Permission> page = this.findAll(example, pageRequest);
+    
+    return page;
+  }
+  
+
+
+  public default Permission selectApplicationPermissionByCode(String code) {
+    Permission probe = new Permission();
+    probe.setCode(code);
+    probe.setType("1");
+    
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("code", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("type", ExampleMatcher.GenericPropertyMatchers.exact());
+    
+    Example<Permission> example = Example.of(probe, matcher);
+    
+    Optional<Permission> o = this.findOne(example);
+    
+    if (o.isPresent()) {
+      return o.get();
+    }
+    
+    return null;
+  }
+  
+ 
+
+  @Query(value = "select p from Permission p "
+      + "inner join RolePermission rp on p.id=rp.permissionId "
+      + "inner join Role r on rp.roleId=r.id "
+      + "inner join UserRole ur on r.id=ur.roleId "
+      + "inner join User u on ur.userId=u.id "
+      + "where u.username=:username "
+      + "and p.lft >= :lft and p.rgt <= :rgt "
+      + "and (:type is null or p.type=:type) "
+      + "and p.status='1' and r.status='1' and u.status='1' and u.enabled=1 ")
+  public List<Permission> selectUserRolePermissionByUsername(@Param("username") String username, @Param("lft") int lft, @Param("rgt") int rgt, @Param("type") String type);
+  
+  @Query(value = "select p from Permission p "
+      + "inner join RolePermission rp on p.id=rp.permissionId "
+      + "inner join Role r on rp.roleId=r.id "
+      + "inner join GroupRole gr on r.id=gr.roleId "
+      + "inner join Group_ g on gr.groupId=g.id "
+      + "inner join UserGroup ug on g.id=ug.groupId "
+      + "inner join User u on ug.userId=u.id "
+      + "where u.username=:username "
+      + "and p.lft >= :lft and p.rgt <= :rgt "
+      + "and (:type is null or p.type=:type) "
+      + "and p.status='1' and r.status='1' and g.status='1' and u.status='1' and u.enabled=1 ")
+  public List<Permission> selectUserGroupRolePermissionByUsername(@Param("username") String username, @Param("lft") int lft, @Param("rgt") int rgt, @Param("type") String type);
+
+  public default List<Permission> selectByUsername(String username, String applicationCode, String type) {
+    List<Permission> permissions = new ArrayList<Permission>();
+    
+    Permission applicationPermission = selectApplicationPermissionByCode(applicationCode);
+    if (applicationPermission == null) {
+      return permissions;
+    }
+    
+    int lft = applicationPermission.getLft();
+    int rgt = applicationPermission.getRgt();
+    
+    List<Permission> userRolePermissions = selectUserRolePermissionByUsername(username, lft, rgt, type);
+    permissions.addAll(userRolePermissions);
+    
+    List<Permission> userGroupRolePermissions = selectUserGroupRolePermissionByUsername(username, lft, rgt, type);
+    permissions.addAll(userGroupRolePermissions);
+    
+    return permissions;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/RolePermissionRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/RolePermissionRepository.java
new file mode 100644
index 0000000..6dc9f2d
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/RolePermissionRepository.java
@@ -0,0 +1,151 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.Permission;
+import com.supwisdom.leaveschool.user.domain.RolePermission;
+import com.supwisdom.leaveschool.user.domain.Role;
+
+@Repository
+public interface RolePermissionRepository extends BaseJpaRepository<RolePermission> {
+
+  public default Page<RolePermission> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+    RolePermission probe = new RolePermission();
+    if (mapBean != null) {
+      probe.setRoleId(MapBeanUtils.getString(mapBean, "roleId"));
+      probe.setPermissionId(MapBeanUtils.getString(mapBean, "permissionId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("permissionId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+    Example<RolePermission> example = Example.of(probe, matcher);
+
+    Page<RolePermission> page = this.findAll(example, pageRequest);
+
+    return page;
+  }
+
+  public default Page<RolePermission> selectRolePermissions(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+
+    RolePermission probe = new RolePermission();
+    if (mapBean != null) {
+      probe.setRoleId(MapBeanUtils.getString(mapBean, "roleId"));
+      probe.setPermissionId(MapBeanUtils.getString(mapBean, "permissionId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("permissionId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<RolePermission> example = Example.of(probe, matcher);
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+
+    Page<RolePermission> page = this.findAll(example, pageRequest); // FIXME: 多表关联查询
+
+    return page;
+  }
+
+  public default void relateRolePermissions(Role role, List<RolePermission> rolePermissions) {
+
+    List<RolePermission> existRolePermissions = this.selectListByRoleId(role.getId());
+
+    Map<String, RolePermission> existMapRolePermissions = new LinkedHashMap<String, RolePermission>();
+    for (RolePermission rolePermission : existRolePermissions) {
+      String k = String.format("%s", rolePermission.getPermissionId());
+      existMapRolePermissions.put(k, rolePermission);
+    }
+
+    for (RolePermission rolePermission : rolePermissions) {
+      String k = String.format("%s", rolePermission.getPermissionId());
+
+      if (existMapRolePermissions.containsKey(k)) {
+        existMapRolePermissions.remove(k);
+      } else {
+        rolePermission.setCompanyId(role.getCompanyId());
+        rolePermission.setRoleId(role.getId());
+
+        this.insert(rolePermission);
+      }
+    }
+
+    for (RolePermission rolePermission : existMapRolePermissions.values()) {
+      this.deleteById(rolePermission.getId());
+    }
+  }
+
+  public default List<RolePermission> selectListByRoleId(String roleId) {
+
+    RolePermission probe = new RolePermission();
+    probe.setRoleId(roleId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching().withMatcher("roleId",
+        ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<RolePermission> example = Example.of(probe, matcher);
+
+    List<RolePermission> rolePermissions = this.findAll(example);
+
+    return rolePermissions;
+  }
+
+  public default void relatePermissionRoles(Permission permission, List<RolePermission> rolePermissions) {
+
+    // 获取权限已关联的角色
+    List<RolePermission> existPermissionRoles = this.selectListByPermissionId(permission.getId());
+
+    Map<String, RolePermission> existMapPermissionRoles = new LinkedHashMap<String, RolePermission>();
+    for (RolePermission rolePermission : existPermissionRoles) {
+      String k = String.format("%s", rolePermission.getRoleId());
+      existMapPermissionRoles.put(k, rolePermission);
+    }
+
+    // 保存未关联的角色
+    for (RolePermission rolePermission : rolePermissions) {
+      String k = String.format("%s", rolePermission.getRoleId());
+
+      if (existMapPermissionRoles.containsKey(k)) {
+        existMapPermissionRoles.remove(k);
+      } else {
+        rolePermission.setCompanyId(permission.getCompanyId());
+        rolePermission.setPermissionId(permission.getId());
+
+        this.insert(rolePermission);
+      }
+    }
+
+    // 删除移除关联的角色
+    for (RolePermission rolePermission : existMapPermissionRoles.values()) {
+      this.deleteById(rolePermission.getId());
+    }
+  }
+
+  public default List<RolePermission> selectListByPermissionId(String permissionId) {
+
+    RolePermission probe = new RolePermission();
+    probe.setPermissionId(permissionId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching().withMatcher("permissionId",
+        ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<RolePermission> example = Example.of(probe, matcher);
+
+    List<RolePermission> rolePermissions = this.findAll(example);
+
+    return rolePermissions;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/RoleRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/RoleRepository.java
new file mode 100644
index 0000000..f82d771
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/RoleRepository.java
@@ -0,0 +1,93 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.Role;
+
+@Repository
+public interface RoleRepository extends BaseJpaRepository<Role> {
+
+  public default Page<Role> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+    Role probe = new Role();
+    if (mapBean != null) {
+      probe.setCode(MapBeanUtils.getString(mapBean, "code"));
+      probe.setName(MapBeanUtils.getString(mapBean, "name"));
+      probe.setMemo(MapBeanUtils.getString(mapBean, "memo"));
+      probe.setStatus(MapBeanUtils.getString(mapBean, "status"));
+    }
+    
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("code", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("name", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("memo", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("status", ExampleMatcher.GenericPropertyMatchers.exact());
+    
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+    Example<Role> example = Example.of(probe, matcher);
+    
+    Page<Role> page = this.findAll(example, pageRequest);
+    
+    return page;
+  }
+  
+  
+  public default Role selectByCode(String code) {
+    Role probe = new Role();
+    probe.setCode(code);
+    
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("code", ExampleMatcher.GenericPropertyMatchers.exact());
+    
+    Example<Role> example = Example.of(probe, matcher);
+    
+    Optional<Role> o = this.findOne(example);
+    
+    if (o.isPresent()) {
+      return o.get();
+    }
+    
+    return null;
+  }
+  
+  @Query(value = "select r from Role r "
+      + "inner join UserRole ur on r.id=ur.roleId "
+      + "inner join User u on ur.userId=u.id "
+      + "where u.username=:username "
+      + "and r.status='1' and u.status='1' and u.enabled=1 ")
+  public List<Role> selectUserRoleByUsername(@Param("username") String username);
+  
+  @Query(value = "select r from Role r "
+      + "inner join GroupRole gr on r.id=gr.roleId "
+      + "inner join Group_ g on gr.groupId=g.id "
+      + "inner join UserGroup ug on g.id=ug.groupId "
+      + "inner join User u on ug.userId=u.id "
+      + "where u.username=:username "
+      + "and r.status='1' and g.status='1' and u.status='1' and u.enabled=1 ")
+  public List<Role> selectUserGroupRoleByUsername(@Param("username") String username);
+
+  public default List<Role> selectByUsername(String username) {
+    List<Role> roles = new ArrayList<Role>();
+    
+    List<Role> userRoles = selectUserRoleByUsername(username);
+    roles.addAll(userRoles);
+    
+    List<Role> userGroupRoles = selectUserGroupRoleByUsername(username);
+    roles.addAll(userGroupRoles);
+    
+    return roles;
+  }
+  
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserGroupRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserGroupRepository.java
new file mode 100644
index 0000000..04f26d0
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserGroupRepository.java
@@ -0,0 +1,151 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.Group;
+import com.supwisdom.leaveschool.user.domain.UserGroup;
+import com.supwisdom.leaveschool.user.domain.User;
+
+@Repository
+public interface UserGroupRepository extends BaseJpaRepository<UserGroup> {
+
+  public default Page<UserGroup> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+    UserGroup probe = new UserGroup();
+    if (mapBean != null) {
+      probe.setGroupId(MapBeanUtils.getString(mapBean, "groupId"));
+      probe.setUserId(MapBeanUtils.getString(mapBean, "userId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("groupId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("userId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<UserGroup> example = Example.of(probe, matcher);
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+
+    Page<UserGroup> page = this.findAll(example, pageRequest);
+
+    return page;
+  }
+
+  public default Page<UserGroup> selectUserGroups(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+
+    UserGroup probe = new UserGroup();
+    if (mapBean != null) {
+      probe.setGroupId(MapBeanUtils.getString(mapBean, "groupId"));
+      probe.setUserId(MapBeanUtils.getString(mapBean, "userId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("groupId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("userId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<UserGroup> example = Example.of(probe, matcher);
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+
+    Page<UserGroup> page = this.findAll(example, pageRequest);  // FIXME: 多表关联查询
+
+    return page;
+  }
+
+
+  public default void relateUserGroups(User user, List<UserGroup> userGroups) {
+
+    List<UserGroup> existUserGroups = this.selectListByUserId(user.getId());
+
+    Map<String, UserGroup> existMapUserGroups = new LinkedHashMap<String, UserGroup>();
+    for (UserGroup userGroup : existUserGroups) {
+      String k = String.format("%s", userGroup.getGroupId());
+      existMapUserGroups.put(k, userGroup);
+    }
+
+    for (UserGroup userGroup : userGroups) {
+      String k = String.format("%s", userGroup.getGroupId());
+
+      if (existMapUserGroups.containsKey(k)) {
+        existMapUserGroups.remove(k);
+      } else {
+        userGroup.setCompanyId(user.getCompanyId());
+        userGroup.setUserId(user.getId());
+
+        this.insert(userGroup);
+      }
+    }
+
+    for (UserGroup userGroup : existMapUserGroups.values()) {
+      this.deleteById(userGroup.getId());
+    }
+  }
+
+  public default List<UserGroup> selectListByUserId(String userId) {
+
+    UserGroup probe = new UserGroup();
+    probe.setUserId(userId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("userId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<UserGroup> example = Example.of(probe, matcher);
+
+    List<UserGroup> userGroups = this.findAll(example);
+
+    return userGroups;
+  }
+
+  
+  public default void relateGroupUsers(Group group, List<UserGroup> userGroups) {
+
+    List<UserGroup> existGroupUsers = this.selectListByGroupId(group.getId());
+
+    Map<String, UserGroup> existMapGroupUsers = new LinkedHashMap<String, UserGroup>();
+    for (UserGroup userGroup : existGroupUsers) {
+      String k = String.format("%s", userGroup.getUserId());
+      existMapGroupUsers.put(k, userGroup);
+    }
+
+    for (UserGroup userGroup : userGroups) {
+      String k = String.format("%s", userGroup.getUserId());
+
+      if (existMapGroupUsers.containsKey(k)) {
+        existMapGroupUsers.remove(k);
+      } else {
+        userGroup.setCompanyId(group.getCompanyId());
+        userGroup.setGroupId(group.getId());
+
+        this.insert(userGroup);
+      }
+    }
+
+    for (UserGroup userGroup : existMapGroupUsers.values()) {
+      this.deleteById(userGroup.getId());
+    }
+  }
+
+  public default List<UserGroup> selectListByGroupId(String groupId) {
+
+    UserGroup probe = new UserGroup();
+    probe.setGroupId(groupId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("groupId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<UserGroup> example = Example.of(probe, matcher);
+
+    List<UserGroup> userGroups = this.findAll(example);
+
+    return userGroups;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserRepository.java
new file mode 100644
index 0000000..dbeb279
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserRepository.java
@@ -0,0 +1,100 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.Map;
+import java.util.Optional;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.User;
+
+@Repository
+public interface UserRepository extends BaseJpaRepository<User> {
+  
+  public default Page<User> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+    User probe = new User();
+    if (mapBean != null) {
+      probe.setUsername(MapBeanUtils.getString(mapBean, "username"));
+      probe.setName(MapBeanUtils.getString(mapBean, "name"));
+      probe.setStatus(MapBeanUtils.getString(mapBean, "status"));
+    }
+    
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("username", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("name", ExampleMatcher.GenericPropertyMatchers.contains())
+        .withMatcher("status", ExampleMatcher.GenericPropertyMatchers.exact());
+    
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+    Example<User> example = Example.of(probe, matcher);
+    
+    Page<User> page = this.findAll(example, pageRequest);
+    
+    return page;
+  }
+  
+  /*
+  public default User selectById(String id) {
+    
+    try {
+      Optional<User> entity = this.findById(id);
+      
+      return entity.get();
+    } catch(RuntimeException e) {
+      System.out.println("RuntimeException:"+e.getMessage());
+    } catch(Exception e) {
+      System.out.println("Exception:"+e.getMessage());
+    }
+    
+    return null;
+  }
+  
+  public default User insert(User entity) {
+    
+    if (entity.getCompanyId() == null || entity.getCompanyId().isEmpty()) {
+      entity.setCompanyId("1");
+    }
+    
+    entity.setDeleted(false);
+    //entity.setAddAccount(AuthUtil.getRemoteUser());
+    entity.setAddTime(Calendar.getInstance().getTime());
+    
+    User e = this.save(entity);
+    
+    return e;
+  }
+  
+  public default User update(User entity) {
+    
+    //entity.setEditAccount(AuthUtil.getRemoteUser());
+    entity.setEditTime(Calendar.getInstance().getTime());
+    
+    User e = this.save(entity);
+    
+    return e;
+  }
+  */
+  
+  public default User selectByUsername(String username) {
+    User probe = new User();
+    probe.setUsername(username);
+    
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("username", ExampleMatcher.GenericPropertyMatchers.exact());
+    
+    Example<User> example = Example.of(probe, matcher);
+    
+    Optional<User> u = this.findOne(example);
+    
+    if (u.isPresent()) {
+      return u.get();
+    }
+    
+    return null;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserRoleRepository.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserRoleRepository.java
new file mode 100644
index 0000000..995da11
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/repository/UserRoleRepository.java
@@ -0,0 +1,150 @@
+package com.supwisdom.leaveschool.user.repository;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.data.domain.Example;
+import org.springframework.data.domain.ExampleMatcher;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.stereotype.Repository;
+
+import com.supwisdom.leaveschool.common.repository.BaseJpaRepository;
+import com.supwisdom.leaveschool.common.util.MapBeanUtils;
+import com.supwisdom.leaveschool.user.domain.Role;
+import com.supwisdom.leaveschool.user.domain.User;
+import com.supwisdom.leaveschool.user.domain.UserRole;
+
+@Repository
+public interface UserRoleRepository extends BaseJpaRepository<UserRole> {
+
+  public default Page<UserRole> selectPageList(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+
+    UserRole probe = new UserRole();
+    if (mapBean != null) {
+      probe.setUserId(MapBeanUtils.getString(mapBean, "userId"));
+      probe.setRoleId(MapBeanUtils.getString(mapBean, "roleId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("userId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+    Example<UserRole> example = Example.of(probe, matcher);
+
+    Page<UserRole> page = this.findAll(example, pageRequest);
+
+    return page;
+  }
+
+  public default Page<UserRole> selectUserRoles(int pageIndex, int pageSize, Map<String, Object> mapBean) {
+
+    UserRole probe = new UserRole();
+    if (mapBean != null) {
+      probe.setUserId(MapBeanUtils.getString(mapBean, "userId"));
+      probe.setRoleId(MapBeanUtils.getString(mapBean, "roleId"));
+    }
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("userId", ExampleMatcher.GenericPropertyMatchers.exact())
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<UserRole> example = Example.of(probe, matcher);
+
+    PageRequest pageRequest = PageRequest.of(pageIndex, pageSize);
+
+    Page<UserRole> page = this.findAll(example, pageRequest); // FIXME: 多表关联查询
+
+    return page;
+  }
+
+  public default void relateUserRoles(User user, List<UserRole> userRoles) {
+
+    List<UserRole> existUserRoles = this.selectListByUserId(user.getId());
+
+    Map<String, UserRole> existMapUserRoles = new LinkedHashMap<String, UserRole>();
+    for (UserRole userRole : existUserRoles) {
+      String k = String.format("%s", userRole.getRoleId());
+      existMapUserRoles.put(k, userRole);
+    }
+
+    for (UserRole userRole : userRoles) {
+      String k = String.format("%s", userRole.getRoleId());
+
+      if (existMapUserRoles.containsKey(k)) {
+        existMapUserRoles.remove(k);
+      } else {
+        userRole.setCompanyId(user.getCompanyId());
+        userRole.setUserId(user.getId());
+
+        this.insert(userRole);
+      }
+    }
+
+    for (UserRole userRole : existMapUserRoles.values()) {
+      this.deleteById(userRole.getId());
+    }
+  }
+
+  public default List<UserRole> selectListByUserId(String userId) {
+
+    UserRole probe = new UserRole();
+    probe.setUserId(userId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("userId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<UserRole> example = Example.of(probe, matcher);
+
+    List<UserRole> userRoles = this.findAll(example);
+
+    return userRoles;
+  }
+
+  
+  public default void relateRoleUsers(Role role, List<UserRole> userRoles) {
+
+    List<UserRole> existRoleUsers = this.selectListByRoleId(role.getId());
+
+    Map<String, UserRole> existMapRoleUsers = new LinkedHashMap<String, UserRole>();
+    for (UserRole userRole : existRoleUsers) {
+      String k = String.format("%s", userRole.getUserId());
+      existMapRoleUsers.put(k, userRole);
+    }
+
+    for (UserRole userRole : userRoles) {
+      String k = String.format("%s", userRole.getUserId());
+
+      if (existMapRoleUsers.containsKey(k)) {
+        existMapRoleUsers.remove(k);
+      } else {
+        userRole.setCompanyId(role.getCompanyId());
+        userRole.setRoleId(role.getId());
+
+        this.insert(userRole);
+      }
+    }
+
+    for (UserRole userRole : existMapRoleUsers.values()) {
+      this.deleteById(userRole.getId());
+    }
+  }
+
+  public default List<UserRole> selectListByRoleId(String roleId) {
+
+    UserRole probe = new UserRole();
+    probe.setRoleId(roleId);
+
+    ExampleMatcher matcher = ExampleMatcher.matching()
+        .withMatcher("roleId", ExampleMatcher.GenericPropertyMatchers.exact());
+
+    Example<UserRole> example = Example.of(probe, matcher);
+
+    List<UserRole> userRoles = this.findAll(example);
+
+    return userRoles;
+  }
+
+}
diff --git a/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/util/AuthUtil.java b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/util/AuthUtil.java
new file mode 100644
index 0000000..29366aa
--- /dev/null
+++ b/leaveschool/user/src/main/java/com/supwisdom/leaveschool/user/util/AuthUtil.java
@@ -0,0 +1,87 @@
+package com.supwisdom.leaveschool.user.util;
+
+import java.util.Enumeration;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+public class AuthUtil {
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthUtil.class);
+
+  public static String getRemoteUser() {
+    
+    if (RequestContextHolder.getRequestAttributes() != null) {
+      ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes)RequestContextHolder.getRequestAttributes();
+      if (servletRequestAttributes != null) {
+        HttpServletRequest httpServletRequest = servletRequestAttributes.getRequest();
+        if (httpServletRequest != null) {
+          String remoteUser = httpServletRequest.getRemoteUser();
+          logger.debug("httpServletRequest.getRemoteUser(): {}", remoteUser);
+          
+          if (remoteUser == null || remoteUser.isEmpty()) {
+            remoteUser = httpServletRequest.getHeader("remote_user");
+            logger.debug("remote_user: {}", remoteUser);
+          }
+          
+          if (remoteUser != null) {
+            return remoteUser;
+          }
+
+          if (logger.isDebugEnabled()) {
+            logger.debug("request headers: ");
+            Enumeration<String> headerNames = httpServletRequest.getHeaderNames();
+            while(headerNames.hasMoreElements()) {
+              String headerName = headerNames.nextElement();
+              logger.debug("{}: {}", headerName, httpServletRequest.getHeader(headerName));
+            }
+            logger.debug("request headers: ");
+          }
+          
+        }
+      }
+    }
+    
+    //logger.warn("FIXME: currentUsername. return 'user' by default.");
+    //return "user";  // FIXME: currentUsername
+    throw new RuntimeException("exception.authentication.remote.user.must.not.empty");
+
+    /*
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+
+    if (authentication == null) {
+      logger.error("authentication is null");
+      return null;
+    }
+
+    logger.debug("authentication is {}", authentication.getPrincipal());
+
+    if (!authentication.isAuthenticated()) {
+      logger.error("authentication is not authenticated");
+      return null;
+    }
+
+    if (authentication.getPrincipal() == null) {
+      logger.error("authentication's principal is null");
+      return null;
+    }
+
+    logger.debug("authentication's principal is {}", authentication.getPrincipal());
+
+    //if (authentication.getPrincipal() instanceof MyUser) {
+    //  return ((MyUser) authentication.getPrincipal()).getUsername();
+    //}
+    if (authentication.getPrincipal() instanceof String) {
+      return String.valueOf(authentication.getPrincipal());
+    }
+    
+
+    return null;
+    */
+  }
+
+}
diff --git a/leaveschool/user/src/main/resources/application.yml b/leaveschool/user/src/main/resources/application.yml
new file mode 100644
index 0000000..5493de8
--- /dev/null
+++ b/leaveschool/user/src/main/resources/application.yml
@@ -0,0 +1,44 @@
+server:
+  port: 10010
+
+## logging
+logging:
+  level:
+    root: INFO
+    org.springframework.web: TRACE
+    org.springframework.data.jpa: TRACE
+    com.supwisdom.infras.security: DEBUG
+    com.supwisdom.leaveschool: DEBUG
+
+spring:
+  application:
+    name: sample-user
+  datasource:
+    driver-class-name: com.mysql.jdbc.Driver
+    url: jdbc:mysql://172.50.10.15:3306/lixiao?useUnicode=true&characterEncoding=utf8&characterSetResults=utf8&autoReconnect=true&zeroDateTimeBehavior=convertToNull
+    username: lixiao
+    password: lixiao@1234
+  jpa:
+    hibernate:
+      ddl-auto: none
+      naming:
+        physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
+    show-sql: true
+
+infras:
+  mvc:
+# 自定义error输出的例子
+    custom-error:
+      enabled: true
+      error-map:
+        org.springframework.validation.BindException: Customized Bind Error Reason
+      include-message: true
+      include-errors: true
+      include-error: true
+      include-exception: true
+      include-path: true
+      include-timestamp: true
+      include-status: true
+  data:
+    jpa:
+      basePackages: com.supwisdom.leaveschool.user.repository