diff --git a/samples/common/src/main/java/com/supwisdom/leaveschool/common/controller/api/CrudApiController.java b/samples/common/src/main/java/com/supwisdom/leaveschool/common/controller/api/CrudApiController.java
index a84d7f4..b9474e8 100644
--- a/samples/common/src/main/java/com/supwisdom/leaveschool/common/controller/api/CrudApiController.java
+++ b/samples/common/src/main/java/com/supwisdom/leaveschool/common/controller/api/CrudApiController.java
@@ -154,7 +154,7 @@
    * response success: 
    * 
    * {
-   *   "success":"info.save.success"
+   *   "success":"info.create.success"
    * }
    * 
    * response error 401:
@@ -184,13 +184,13 @@
   @PostMapping(consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
   @ResponseStatus(value = HttpStatus.OK)
   @ResponseBody
-  public Map<String, Object> save(@RequestBody D d) {
+  public Map<String, Object> create(@RequestBody D d) {
     
     @SuppressWarnings("unused")
     D ret = getRepository().insert(d);
     
     Map<String, Object> res = new HashMap<String, Object>();
-    res.put("success", "info.save.success");
+    res.put("success", "info.create.success");
     
     return res;
   }
diff --git a/samples/gateway/src/main/resources/application.yml b/samples/gateway/src/main/resources/application.yml
index 72fcad4..ee435bf 100755
--- a/samples/gateway/src/main/resources/application.yml
+++ b/samples/gateway/src/main/resources/application.yml
@@ -22,7 +22,7 @@
         predicates:
         - Path=/sample-user/**
         filters:
-        - AddRequestHeader=Remote_User, admin
+        #- AddRequestHeader=Remote_User, admin
         #- RewritePath=/(?<prefix>.*)/sample-user/(?<suffix>.*), /$\{prefix}/$\{suffix}
         - RewritePath=/sample-user/(?<suffix>.*), /$\{suffix}
         - name: Hystrix
diff --git a/samples/user/pom.xml b/samples/user/pom.xml
index e6c0032..0b782b5 100644
--- a/samples/user/pom.xml
+++ b/samples/user/pom.xml
@@ -64,8 +64,14 @@
      -->
 
     <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-core</artifactId>
+    </dependency>
+
+    <dependency>
       <groupId>mysql</groupId>
       <artifactId>mysql-connector-java</artifactId>
+      <scope>runtime</scope>
     </dependency>
 
     <!-- Test things -->
@@ -81,6 +87,12 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>com.h2database</groupId>
+      <artifactId>h2</artifactId>
+      <scope>test</scope>
+    </dependency>
+
   </dependencies>
 
   <build>
diff --git a/samples/user/src/main/java/com/supwisdom/leaveschool/user/config/PasswordEncoderConfig.java b/samples/user/src/main/java/com/supwisdom/leaveschool/user/config/PasswordEncoderConfig.java
new file mode 100644
index 0000000..a92dea4
--- /dev/null
+++ b/samples/user/src/main/java/com/supwisdom/leaveschool/user/config/PasswordEncoderConfig.java
@@ -0,0 +1,30 @@
+package com.supwisdom.leaveschool.user.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class PasswordEncoderConfig {
+  
+  private static final Logger logger = LoggerFactory.getLogger(PasswordEncoderConfig.class);
+  
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    
+    PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
+
+    if (passwordEncoder instanceof DelegatingPasswordEncoder) {
+      ((DelegatingPasswordEncoder)passwordEncoder).setDefaultPasswordEncoderForMatches(NoOpPasswordEncoder.getInstance());
+    }
+
+    logger.debug("PasswordEncoderConfig passwordEncoder is {}", passwordEncoder);
+    return passwordEncoder;
+  }
+
+}
diff --git a/samples/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminUserController.java b/samples/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminUserController.java
index d1a6137..e18015b 100644
--- a/samples/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminUserController.java
+++ b/samples/user/src/main/java/com/supwisdom/leaveschool/user/controller/api/admin/Api1AdminUserController.java
@@ -8,6 +8,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.util.MimeTypeUtils;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -46,6 +47,9 @@
 
   @Autowired
   private UserRoleRepository userRoleRepository;
+  
+  @Autowired
+  private PasswordEncoder passwordEncoder;
 
   @Override
   protected UserRepository getRepository() {
@@ -208,7 +212,7 @@
    * 
    * <pre>
    * {
-   *   "success":"info.save.success"
+   *   "success":"info.create.success"
    * }
    * </pre>
    * 
@@ -244,13 +248,19 @@
   @PostMapping(consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
   @ResponseStatus(value = HttpStatus.OK)
   @ResponseBody
-  public Map<String, Object> save(@RequestBody User user) {
+  public Map<String, Object> create(@RequestBody User user) {
+    
+    // FIXME: 验证数据有效性
+    
+    if (user.getPassword() !=null && user.getPassword().length() > 0 && !user.getPassword().startsWith("{")) {
+      user.setPassword(passwordEncoder.encode(user.getPassword()));
+    }
 
     @SuppressWarnings("unused")
     User ret = userRepository.insert(user);
 
     Map<String, Object> res = new HashMap<String, Object>();
-    res.put("success", "info.save.success");
+    res.put("success", "info.create.success");
 
     return res;
   }
@@ -329,6 +339,10 @@
     if (tmp == null) {
       throw new RuntimeException("exception.update.domain.not.exist"); // FIXME: RestException
     }
+    
+    if (user.getPassword() !=null && user.getPassword().length() > 0 && !user.getPassword().startsWith("{")) {
+      user.setPassword(passwordEncoder.encode(user.getPassword()));
+    }
 
     tmp = DomainUtils.merge(user, tmp);