diff --git a/parent/center.manager/src/main/resources/dev/redis.properties b/parent/center.manager/src/main/resources/dev/redis.properties
index 50adb7c..e7aac99 100644
--- a/parent/center.manager/src/main/resources/dev/redis.properties
+++ b/parent/center.manager/src/main/resources/dev/redis.properties
@@ -32,5 +32,5 @@ redis.maxIdle=300
 redis.maxActive=600
 redis.maxWait=1000
 redis.testOnBorrow=true
-redis.HttpSession.redisNamespace=hospital.mac
+redis.HttpSession.redisNamespace=center
 spring.redis.cluster.max-redirects= 3 
diff --git a/parent/hospital.web/src/main/java/com/lyms/hospital/controller/LoginController.java b/parent/hospital.web/src/main/java/com/lyms/hospital/controller/LoginController.java
index 1f4a2d5..57d221d 100644
--- a/parent/hospital.web/src/main/java/com/lyms/hospital/controller/LoginController.java
+++ b/parent/hospital.web/src/main/java/com/lyms/hospital/controller/LoginController.java
@@ -6,6 +6,13 @@ import java.util.Map;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AccountException;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.LockedAccountException;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authc.UsernamePasswordToken;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -14,7 +21,9 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
+import com.alibaba.druid.support.json.JSONUtils;
 import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.JSONObject;
 import com.lyms.annotation.TokenRequired;
 import com.lyms.base.common.entity.organ.Organizations;
 import com.lyms.base.common.entity.role.Permissions;
@@ -26,9 +35,11 @@ import com.lyms.base.common.service.role.RolesService;
 import com.lyms.base.common.service.user.UsersService;
 import com.lyms.constants.Constants;
 import com.lyms.hospital.service.token.TokenService;
+import com.lyms.shiro.ShiroWebUtils;
 import com.lyms.util.DateTimeUtils;
 import com.lyms.util.InstanceUtils;
 import com.lyms.util.MD5Utils;
+import com.lyms.util.StrUtils;
 import com.lyms.web.bean.AjaxResult;
 import com.lyms.web.controller.BaseController;
 
@@ -106,24 +117,29 @@ public class LoginController extends BaseController {
                            @RequestParam(value = "password", required = false) String password,
                            AjaxResult ajaxResult,
                            HttpServletResponse response) {
+        System.out.println("ShiroWebUtils.getCurrentUser()="+JSONObject.toJSONString(ShiroWebUtils.getCurrentUser()));
         ajaxResult.setSuccess(false);
         if (StringUtils.isEmpty(account) && (StringUtils.isEmpty(code) || StringUtils.isEmpty(password))) {
             ajaxResult.setMessage("登录账户或者验证码为空,请输入！");
             return ajaxResult;   
         }
-        Users users = usersService.getUserByUsername(account);
-        if(users == null){
-            ajaxResult.setMessage("用户不存在！");
-            return ajaxResult;   
-        }
-        if(!users.getPwd().equals(MD5Utils.md5(password))){
-            ajaxResult.setMessage("密码不正确！");
-            return ajaxResult;   
-        }
-        if(users.getEnable() < 1){
-            ajaxResult.setMessage("用户被禁用！");
-            return ajaxResult;   
+        AuthenticationToken authenticationToken = new UsernamePasswordToken(account, password);
+        try {
+            // 查看ShiroRealm.class
+            SecurityUtils.getSubject().login(authenticationToken);
+        } catch (AuthenticationException e) {
+            if (e instanceof UnknownAccountException) {
+                ajaxResult.setMessage("用户不存在！");
+                return ajaxResult;   
+            } else if (e instanceof AccountException) {
+                ajaxResult.setMessage("密码不正确！");
+                return ajaxResult;   
+            } else if (e instanceof LockedAccountException) {
+                ajaxResult.setMessage("用户被禁用！");
+                return ajaxResult;   
+            }
         }
+        Users users = ShiroWebUtils.getCurrentUser();
         //Organizations organizations = organizationsService.selectById( users.getOrgId());
         Map<String, Object> result = InstanceUtils.newHashMap();
         String token = tokenService.createToken(users);
diff --git a/parent/hospital.web/src/main/java/com/lyms/hospital/shiro/ShiroRealm.java b/parent/hospital.web/src/main/java/com/lyms/hospital/shiro/ShiroRealm.java
new file mode 100644
index 0000000..3ebdab4
--- /dev/null
+++ b/parent/hospital.web/src/main/java/com/lyms/hospital/shiro/ShiroRealm.java
@@ -0,0 +1,109 @@
+package com.lyms.hospital.shiro;
+
+import java.util.HashSet;
+import java.util.List;
+
+import org.apache.shiro.authc.AccountException;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.LockedAccountException;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.SimpleAuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import com.lyms.base.common.entity.user.Users;
+import com.lyms.base.common.enums.StatusEnum;
+import com.lyms.base.common.service.role.PermissionsService;
+import com.lyms.base.common.service.user.UsersService;
+import com.lyms.shiro.ShiroWebUtils;
+import com.lyms.util.CollectionUtils;
+import com.lyms.util.MD5Utils;
+import com.lyms.util.StrUtils;
+
+/**
+ * <li>@ClassName: ShiroRealm
+ * <li>@Description: 自定义Realm授权与验证实现
+ * <li>@author 方承
+ * <li>@date 2015年12月29日
+ * <li>
+ */
+public class ShiroRealm extends AuthorizingRealm {
+
+	@SuppressWarnings("unused")
+	private static Logger logger = LoggerFactory.getLogger(ShiroRealm.class);
+
+	public ShiroRealm() {
+		super(new AllowAllCredentialsMatcher());
+		setAuthenticationTokenClass(UsernamePasswordToken.class);
+		// FIXME: 暂时禁用Cache
+		setCachingEnabled(false);
+	}
+
+	@Autowired
+	private UsersService sysUsersService;
+
+	private PermissionsService sysPermissionsService;
+
+	// @Autowired
+	// private ResourceService resourceService;
+
+	@Override
+	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+		String username = (String) principals.getPrimaryPrincipal();
+		Users user = sysUsersService.getUserByUsername(username);
+		// 授权
+		SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
+		List<String> roleIdList = sysUsersService.getRoleIdListByUserid(user.getId());
+		if (CollectionUtils.isNotEmpty(roleIdList)) {
+			authorizationInfo.setRoles(new HashSet<String>(roleIdList));
+		}
+		authorizationInfo.setStringPermissions(sysPermissionsService.getUserPermissionSet(user.getId(),"1"));
+		return authorizationInfo;
+	}
+
+	@Override
+	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken)
+			throws AuthenticationException {
+		UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
+		String username = token.getUsername();
+		Users user = sysUsersService.getUserByUsername(username);
+		if (StatusEnum.isDisEnabled(user.getEnable())) {
+			throw new LockedAccountException("用户已经被禁用，请联系管理员！");
+		}
+		StringBuilder pwd = new StringBuilder(100);
+		for (int i = 0; i < token.getPassword().length; i++) {
+			pwd.append(token.getPassword()[i]);
+		}
+		if (!StrUtils.equals(user.getPwd(), MD5Utils.md5(pwd.toString()))) {
+			throw new AccountException("用户名密码不一致");
+		}
+		ShiroWebUtils.saveCurrentUser(user);
+		AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(username, pwd.toString(), username);
+		return authcInfo;
+		// User user = userService.getUserByUserName(username);
+		// if (user == null) {
+		// throw new UnknownAccountException("未知用户");
+		// }
+		// StringBuilder pwd = new StringBuilder(100);
+		// for (int i = 0; i < token.getPassword().length; i++) {
+		// pwd.append(token.getPassword()[i]);
+		// }
+		// if (!StrUtils.equals(user.getPassword(),
+		// HashUtils.md5(pwd.toString()))) {
+		// throw new AccountException("用户名密码不一致");
+		// }
+		// ShiroWebUtils.saveCurrentUser(user);
+		// AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(username,
+		// pwd.toString(), username);
+		// return authcInfo;
+	}
+
+}
diff --git a/parent/hospital.web/src/main/resources/dev/redis.properties b/parent/hospital.web/src/main/resources/dev/redis.properties
index f6314e7..ee93728 100644
--- a/parent/hospital.web/src/main/resources/dev/redis.properties
+++ b/parent/hospital.web/src/main/resources/dev/redis.properties
@@ -29,5 +29,5 @@ redis.maxIdle=300
 redis.maxActive=600
 redis.maxWait=1000
 redis.testOnBorrow=true
-redis.HttpSession.redisNamespace=hospital.mac
+redis.HttpSession.redisNamespace=hospital
 spring.redis.cluster.max-redirects= 3 
diff --git a/parent/hospital.web/src/main/resources/xml/app-shiro.xml b/parent/hospital.web/src/main/resources/xml/app-shiro.xml
new file mode 100644
index 0000000..c6edf1c
--- /dev/null
+++ b/parent/hospital.web/src/main/resources/xml/app-shiro.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:aop="http://www.springframework.org/schema/aop"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
+       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd">
+       
+	<!-- 开启Apache Shiro注解 否则使用SHIRO的注解后 @Autowired注解将会失效 -->
+    <aop:config proxy-target-class="true"></aop:config>
+    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
+        <property name="securityManager" ref="securityManager"/>
+    </bean>
+    
+    <!-- rememberMe-->
+    <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
+        <constructor-arg value="rememberMe"/>
+        <property name="httpOnly" value="true"/>
+        <property name="maxAge" value="2592000"/><!-- 30天 -->
+    </bean>
+
+    <!-- rememberMe管理器 -->
+    <bean id="rememberMeManager"
+          class="org.apache.shiro.web.mgt.CookieRememberMeManager">
+        <!--<property name="cipherKey" value="\#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/>-->
+        <property name="cookie" ref="rememberMeCookie"/>
+    </bean>
+    
+    <bean id="shiroRealm" class="com.lyms.hospital.shiro.ShiroRealm"/>
+    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
+		<property name="realm" ref="shiroRealm" />
+		<property name="rememberMeManager" ref="rememberMeManager"/>
+	</bean>
+
+    <bean id="forceLogoutFilter" class="com.lyms.web.filter.ForceLogoutFilter"/>
+    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
+        <property name="securityManager" ref="securityManager" />
+        <property name="loginUrl" value="/login/tokens" />
+        <property name="successUrl" value="/index" />
+        <property name="filters">
+            <util:map>
+                <entry key="forceLogout" value-ref="forceLogoutFilter"/>
+            </util:map>
+        </property>
+        <property name="filterChainDefinitions">
+            <value> 
+                /login/tokens = anon 
+                /** = user,forceLogout
+                <!-- 
+                /logout = logout 
+                /captcha/* = anon
+                /upload/* = anon
+                /static/** = anon
+                /dubboService/** = anon
+                /authenticated = authc 
+                /test/** = anon
+                 -->
+            </value>
+        </property>
+    </bean>
+	<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
+</beans>
\ No newline at end of file
diff --git a/parent/hospital.web/src/main/webapp/WEB-INF/web.xml b/parent/hospital.web/src/main/webapp/WEB-INF/web.xml
index 120f458..9e4d3ea 100644
--- a/parent/hospital.web/src/main/webapp/WEB-INF/web.xml
+++ b/parent/hospital.web/src/main/webapp/WEB-INF/web.xml
@@ -58,6 +58,20 @@
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
 	<filter>
+		<filter-name>shiroFilter</filter-name>
+		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+		<async-supported>true</async-supported>
+		<init-param>
+			<param-name>targetFilterLifecycle</param-name>
+			<param-value>true</param-value>
+		</init-param>
+	</filter>
+	<filter-mapping>
+		<filter-name>shiroFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+		<dispatcher>REQUEST</dispatcher>
+	</filter-mapping>
+	<filter>
 		<filter-name>springSessionRepositoryFilter</filter-name>
 		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 	</filter>