diff --git a/backend/src/main/java/com/stdproject/config/SecurityConfig.java b/backend/src/main/java/com/stdproject/config/SecurityConfig.java
index 1f6dc64..48a4688 100644
--- a/backend/src/main/java/com/stdproject/config/SecurityConfig.java
+++ b/backend/src/main/java/com/stdproject/config/SecurityConfig.java
@@ -43,16 +43,16 @@ public class SecurityConfig {
 
     @Value("${spring.security.jwt.enabled:true}")
     private boolean jwtEnabled;
-    
+
     @Value("${spring.security.cors.allowed-origins:http://localhost:3000,http://localhost:8080}")
     private List<String> allowedOrigins;
-    
+
     @Value("${spring.security.cors.max-age:3600}")
     private Long corsMaxAge;
-    
+
     // 公开路径配置
     private static final String[] PUBLIC_PATHS = {
-            "/api/auth/**",
+            "/auth/**",
             "/api/public/**",
             "/swagger-ui/**",
             "/v3/api-docs/**",
@@ -80,31 +80,31 @@ public class SecurityConfig {
     @Bean
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
-        
+
         // 设置允许的源，支持配置化
         configuration.setAllowedOrigins(allowedOrigins);
-        
+
         // 设置允许的HTTP方法
         configuration.setAllowedMethods(Arrays.asList(
                 "GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"
         ));
-        
+
         // 设置允许的请求头
         configuration.setAllowedHeaders(Arrays.asList(
-                "Authorization", "Content-Type", "X-Requested-With", 
-                "Accept", "Origin", "Access-Control-Request-Method", 
+                "Authorization", "Content-Type", "X-Requested-With",
+                "Accept", "Origin", "Access-Control-Request-Method",
                 "Access-Control-Request-Headers", "X-CSRF-TOKEN"
         ));
-        
+
         // 设置暴露的响应头
         configuration.setExposedHeaders(Arrays.asList(
                 "Access-Control-Allow-Origin", "Access-Control-Allow-Credentials",
                 "Authorization", "Content-Disposition"
         ));
-        
+
         configuration.setAllowCredentials(true);
         configuration.setMaxAge(corsMaxAge);
-        
+
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);
         return source;
@@ -119,22 +119,22 @@ public class SecurityConfig {
         http
             // CORS配置
             .cors(cors -> cors.configurationSource(corsConfigurationSource()))
-            
+
             // 禁用CSRF（因为使用JWT，无状态）
             .csrf(csrf -> csrf.disable())
-            
+
             // 会话管理配置
             .sessionManagement(session -> session
                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                 .maximumSessions(1)
                 .maxSessionsPreventsLogin(false)
             )
-            
+
             // 异常处理配置
             .exceptionHandling(ex -> ex
                 .authenticationEntryPoint(jwtAuthenticationEntryPoint)
             )
-            
+
             // 安全头配置
             .headers(headers -> headers
                 // 禁用iframe嵌入,防止点击劫持攻击
@@ -157,7 +157,7 @@ public class SecurityConfig {
                     // 其他所有请求都需要认证
                     .anyRequest().authenticated()
             );
-            
+
             // 添加JWT过滤器
             http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
         } else {
@@ -169,4 +169,4 @@ public class SecurityConfig {
 
         return http.build();
     }
-}
\ No newline at end of file
+}
diff --git a/backend/src/main/java/com/stdproject/service/impl/AppUserServiceImpl.java b/backend/src/main/java/com/stdproject/service/impl/AppUserServiceImpl.java
index 5033d88..6860a8b 100644
--- a/backend/src/main/java/com/stdproject/service/impl/AppUserServiceImpl.java
+++ b/backend/src/main/java/com/stdproject/service/impl/AppUserServiceImpl.java
@@ -30,9 +30,9 @@ public class AppUserServiceImpl extends ServiceImpl<AppUserMapper, AppUser> impl
 
     @Override
     public AppUser findByUsername(String username) {
-        return getOne(new QueryWrapper<AppUser>().eq("username", username).select( "id", "username", "orgid", "usertype","nickname"));
+        return getOne(new QueryWrapper<AppUser>().eq("username", username).select( "id", "username","password","status", "orgid", "usertype","nickname"));
     }
-    
+
     @Override
     public String getCurrentUsername() {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
@@ -41,7 +41,7 @@ public class AppUserServiceImpl extends ServiceImpl<AppUserMapper, AppUser> impl
         }
         return null;
     }
-    
+
     @Override
     public AppUser getCurrentUser() {
         String username = getCurrentUsername();
@@ -71,7 +71,7 @@ public class AppUserServiceImpl extends ServiceImpl<AppUserMapper, AppUser> impl
         // 更新新密码
         user.setPassword(passwordEncoder.encode(newPassword));
         user.setPwdresettime(LocalDateTime.now());
-        
+
         return updateById(user);
     }
-}
\ No newline at end of file
+}
diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml
index 94135fc..8662cc9 100644
--- a/backend/src/main/resources/application.yml
+++ b/backend/src/main/resources/application.yml
@@ -44,7 +44,7 @@ spring:
 #      max-lifetime: 1800000
 #      connection-timeout: 30000
 #      connection-test-query: SELECT 1
- 
+
   cache:
     jcache:
       config: classpath:ehcache.xml # 指定Ehcache配置文件路径
@@ -53,7 +53,7 @@ spring:
       allowed-origins: ${CORS_ALLOWED_ORIGINS:http://localhost:3000,http://localhost:8080}
       max-age: ${CORS_MAX_AGE:3600} # 预检请求的缓存时间（秒）
     jwt:
-      enabled: ${JWT_ENABLED:true} # 控制是否启用JWT认证  
+      enabled: ${JWT_ENABLED:true} # 控制是否启用JWT认证
       secret: ${JWT_SECRET:YourJWTSecretKeyForStdProjectBackendApplicationWhichIsVeryLongAndSecure2024!@#$%^&*()}
       expiration-ms: ${JWT_EXPIRATION:86400000} # Token 过期时间 (例如: 24小时)
       refresh-expiration-ms: ${JWT_REFRESH_EXPIRATION:604800000} # 刷新Token过期时间 (例如: 7天)
@@ -147,7 +147,7 @@ spring:
       on-profile: dev
   security:
     jwt:
-      enabled: false
+      enabled: true
 logging:
   level:
     com.stdproject: DEBUG
@@ -186,4 +186,4 @@ management:
   endpoints:
     web:
       exposure:
-        include: health,info
\ No newline at end of file
+        include: health,info