diff --git a/src/main/java/neatlogic/framework/asynchronization/threadlocal/UserContext.java b/src/main/java/neatlogic/framework/asynchronization/threadlocal/UserContext.java
index b104140acc86a79ae19ff054a0de7ce57f6b9928..4829f25bbe617745a67880771835a4909c11e3d3 100644
--- a/src/main/java/neatlogic/framework/asynchronization/threadlocal/UserContext.java
+++ b/src/main/java/neatlogic/framework/asynchronization/threadlocal/UserContext.java
@@ -50,6 +50,10 @@ public class UserContext implements Serializable {
     //是否超级管理员
     private Boolean isSuperAdmin = false;
 
+    private String tokenHash;
+
+    private String env = null;
+
     public static UserContext init(UserContext _userContext) {
         UserContext context = new UserContext();
         if (_userContext != null) {
@@ -102,6 +106,10 @@ public class UserContext implements Serializable {
         context.setResponse(response);
         context.setTimezone(timezone);
         context.setAuthenticationInfoVo(authenticationInfoVo);
+        if (userVo.getJwtVo() != null) {
+            context.setTokenHash(userVo.getJwtVo().getTokenHash());
+            context.setEnv(userVo.getJwtVo().getEnv());
+        }
         instance.set(context);
         return context;
     }
@@ -259,8 +267,24 @@ public class UserContext implements Serializable {
     }
 
     public void setIsSuperAdmin(Boolean isSuperAdmin) {
-        if(isSuperAdmin != null) {
+        if (isSuperAdmin != null) {
             this.isSuperAdmin = isSuperAdmin;
         }
     }
+
+    public String getTokenHash() {
+        return tokenHash;
+    }
+
+    public void setTokenHash(String tokenHash) {
+        this.tokenHash = tokenHash;
+    }
+
+    public String getEnv() {
+        return env;
+    }
+
+    public void setEnv(String env) {
+        this.env = env;
+    }
 }
diff --git a/src/main/java/neatlogic/framework/dao/cache/UserSessionCache.java b/src/main/java/neatlogic/framework/dao/cache/UserSessionCache.java
index 00411f4f3ddca2da21265305513f44b028cefa56..10461fd1858ec38db08bda1adc172489a1528551 100644
--- a/src/main/java/neatlogic/framework/dao/cache/UserSessionCache.java
+++ b/src/main/java/neatlogic/framework/dao/cache/UserSessionCache.java
@@ -7,39 +7,39 @@ import net.sf.ehcache.config.CacheConfiguration;
 import net.sf.ehcache.config.Configuration;
 
 public class UserSessionCache {
-	private static CacheManager CACHE_MANAGER;
+    private static CacheManager CACHE_MANAGER;
 
-	private synchronized static Ehcache getCache() {
-		if (CACHE_MANAGER == null) {
-			CacheConfiguration cacheConfiguration = new CacheConfiguration();
-			cacheConfiguration.setName("UserSessionCache");
-			cacheConfiguration.setMemoryStoreEvictionPolicy("LRU");
-			cacheConfiguration.setMaxEntriesLocalHeap(1000);
-			cacheConfiguration.internalSetTimeToIdle(300);
-			cacheConfiguration.internalSetTimeToLive(600);
-			Configuration config = new Configuration();
-			config.addCache(cacheConfiguration);
-			CACHE_MANAGER = CacheManager.newInstance(config);
-		}
-		if (!CACHE_MANAGER.cacheExists("UserSessionCache")) {
-			CACHE_MANAGER.addCache("UserSessionCache");
-		}
-		return CACHE_MANAGER.getEhcache("UserSessionCache");
-	}
+    private synchronized static Ehcache getCache() {
+        if (CACHE_MANAGER == null) {
+            CacheConfiguration cacheConfiguration = new CacheConfiguration();
+            cacheConfiguration.setName("UserSessionCache");
+            cacheConfiguration.setMemoryStoreEvictionPolicy("LRU");
+            cacheConfiguration.setMaxEntriesLocalHeap(1000);
+            cacheConfiguration.internalSetTimeToIdle(300);
+            cacheConfiguration.internalSetTimeToLive(600);
+            Configuration config = new Configuration();
+            config.addCache(cacheConfiguration);
+            CACHE_MANAGER = CacheManager.newInstance(config);
+        }
+        if (!CACHE_MANAGER.cacheExists("UserSessionCache")) {
+            CACHE_MANAGER.addCache("UserSessionCache");
+        }
+        return CACHE_MANAGER.getEhcache("UserSessionCache");
+    }
 
-	public static void addItem(String tenant, String userUuid, Object item) {
-		getCache().put(new Element(tenant + ":" + userUuid, item));
-	}
+    public static void addItem(String key, Object item) {
+        getCache().put(new Element(key, item));
+    }
 
-	public static Object getItem(String tenant, String userUuid) {
-		Element cachedElement = getCache().get(tenant + ":" + userUuid);
-		if (cachedElement == null) {
-			return null;
-		}
-		return cachedElement.getObjectValue();
-	}
+    public static Object getItem(String key) {
+        Element cachedElement = getCache().get(key);
+        if (cachedElement == null) {
+            return null;
+        }
+        return cachedElement.getObjectValue();
+    }
 
-	public static boolean removeItem(String tenant, String userUuid){
-		return getCache().remove(tenant + ":" + userUuid);
-	}
+    public static void removeItem(String key) {
+        getCache().remove(key);
+    }
 }
diff --git a/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.java b/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.java
index d694615b646ca3d9efcd2cf895783d87f149aa3b..a6d67d9522c42829eeaee5ab51d0f20e87b20e02 100644
--- a/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.java
+++ b/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.java
@@ -35,6 +35,8 @@ public interface RoleMapper {
 
     List<String> getRoleUuidListByUserUuid(String userUuid);
 
+    List<String> getRoleUuidListByUserUuidAndEnv(@Param("userUuid") String userUuid, @Param("env") String env);
+
     List<ValueTextVo> searchRoleForSelect(RoleVo roleVo);
 
     List<RoleAuthVo> searchRoleAuthByRoleUuid(String roleUuid);
@@ -69,9 +71,11 @@ public interface RoleMapper {
 
     List<RoleTeamVo> getRoleTeamListByRoleUuidList(@Param("list") List<String> roleList);
 
-    List<RoleUserVo> getRoleUserListByRoleUuidList(@Param("list")List<String> roleList);
+    List<RoleUserVo> getRoleUserListByRoleUuidList(@Param("list") List<String> roleList);
+
+    List<String> getRoleUuidListByTeamUuidListAndEnv(@Param("teamUuidList") List<String> teamUuidList, @Param("env") String env);
 
-    List<String> getRoleUuidListByTeamUuidListAndCheckedChildren(@Param("teamUuidList") List<String> teamUuidList, @Param("checkedChildren") Integer checkedChildren);
+    List<String> getRoleUuidListByTeamUuidListAndCheckedChildrenAndEnv(@Param("teamUuidList") List<String> teamUuidList, @Param("checkedChildren") Integer checkedChildren, @Param("env") String env);
 
     /**
      * 根据team的uuid获取当前组的roleList
diff --git a/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.xml b/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.xml
index 7671472bfd147ad26d2efbb4345dcc7df39b818f..9649499cd35b5ece4898bb22c2abafecbfad67e3 100644
--- a/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.xml
+++ b/src/main/java/neatlogic/framework/dao/mapper/RoleMapper.xml
@@ -48,7 +48,7 @@ limitations under the License.
         a.`description`
         FROM `role` a
         LEFT JOIN `role_authority` c ON a.`uuid` = c.`role_uuid`
-       <where>
+        <where>
             <if test="keyword != null and keyword != ''">
                 AND (name LIKE CONCAT('%',#{keyword}, '%') OR description LIKE CONCAT('%',#{keyword}, '%'))
             </if>
@@ -58,13 +58,13 @@ limitations under the License.
             <if test="auth != null and auth != ''">
                 AND c.`auth` = #{auth}
             </if>
-           <if test="roleUuidList != null and roleUuidList.size()>0">
-               and uuid in
-               <foreach collection="roleUuidList" item="roleUuid" open="(" separator="," close=")">
-                   #{roleUuid}
-               </foreach>
-           </if>
-       </where>
+            <if test="roleUuidList != null and roleUuidList.size()>0">
+                and uuid in
+                <foreach collection="roleUuidList" item="roleUuid" open="(" separator="," close=")">
+                    #{roleUuid}
+                </foreach>
+            </if>
+        </where>
         GROUP BY a.`uuid`
         ORDER BY a.`id` DESC
         <if test="needPage == true">
@@ -126,7 +126,8 @@ limitations under the License.
         SELECT `id`,
                `uuid`,
                `name`,
-               `description`
+               `description`,
+               `env`
         FROM `role`
         WHERE `uuid` = #{value}
     </select>
@@ -216,9 +217,8 @@ limitations under the License.
     </select>
 
     <select id="getRoleTeamListByRoleUuid" resultType="neatlogic.framework.dto.RoleTeamVo">
-        SELECT
-        `team_uuid` AS teamUuid,
-        `checked_children` AS checkedChildren
+        SELECT `team_uuid`        AS teamUuid,
+               `checked_children` AS checkedChildren
         FROM `team_role`
         WHERE `role_uuid` = #{value}
     </select>
@@ -256,13 +256,32 @@ limitations under the License.
         </foreach>
     </select>
 
-    <select id="getRoleUuidListByTeamUuidListAndCheckedChildren" resultType="java.lang.String" useCache="false">
-        SELECT `role_uuid` FROM `team_role` WHERE `team_uuid` IN
+    <select id="getRoleUuidListByTeamUuidListAndCheckedChildrenAndEnv" resultType="java.lang.String" useCache="false">
+        SELECT tr.`role_uuid` FROM `team_role` tr
+        <if test="env != null and env != ''">
+            left join `role` r on r.uuid= tr.role_uuid
+        </if>
+        WHERE tr.`team_uuid` IN
+        <foreach collection="teamUuidList" item="teamUuid" open="(" separator="," close=")">
+            #{teamUuid}
+        </foreach>
+        AND tr.`checked_children` = #{checkedChildren}
+        <if test="env != null and env != ''">
+            and (r.`env` = #{env} or r.`env` is null )
+        </if>
+    </select>
+
+    <select id="getRoleUuidListByTeamUuidListAndEnv" resultType="java.lang.String" useCache="false">
+        SELECT tr.`role_uuid` FROM `team_role` tr
+        <if test="env != null and env != ''">
+            left join `role` r on r.uuid= tr.role_uuid
+        </if>
+        WHERE tr.`team_uuid` IN
         <foreach collection="teamUuidList" item="teamUuid" open="(" separator="," close=")">
             #{teamUuid}
         </foreach>
-        <if test="checkedChildren != null">
-            AND `checked_children` = #{checkedChildren}
+        <if test="env != null and env != ''">
+            and (r.`env` = #{env} or r.`env` is null )
         </if>
     </select>
 
@@ -278,13 +297,13 @@ limitations under the License.
     </resultMap>
 
     <select id="getRoleListByTeamUuidList" resultMap="roleTeamMap">
-        SELECT t.uuid       as parentTeamUuid,
-               t.`name`     as parentTeamName,
-               tr.role_uuid as roleUuid,
-               r.`name`     as roleName
+        SELECT t.uuid as parentTeamUuid,
+        t.`name` as parentTeamName,
+        tr.role_uuid as roleUuid,
+        r.`name` as roleName
         FROM team t
-                 JOIN team_role tr ON tr.team_uuid = t.uuid
-                 LEFT JOIN role r ON r.uuid = tr.role_uuid
+        JOIN team_role tr ON tr.team_uuid = t.uuid
+        LEFT JOIN role r ON r.uuid = tr.role_uuid
         WHERE t.uuid IN
         <foreach collection="list" item="uuid" open="(" separator="," close=")">
             #{uuid}
@@ -312,7 +331,7 @@ limitations under the License.
         from team_role a
         where a.role_uuid in
         <foreach collection="list" item="roleUuid" open="(" separator="," close=")">
-             #{roleUuid}
+            #{roleUuid}
         </foreach>
         GROUP BY a.role_uuid
     </select>
@@ -338,11 +357,22 @@ limitations under the License.
             #{item}
         </foreach>
     </select>
+    <select id="getRoleUuidListByUserUuidAndEnv" resultType="java.lang.String">
+        select ur.`role_uuid`
+        from `user_role` ur
+        <if test="env != null and env != ''">
+            left join `role` r on r.uuid= ur.role_uuid
+        </if>
+        where ur.`user_uuid` = #{userUuid}
+        <if test="env != null and env != ''">
+            and (r.`env` = #{env} or r.`env` is null )
+        </if>
+    </select>
 
 
     <insert id="insertRole" parameterType="neatlogic.framework.dto.RoleVo">
-        INSERT INTO `role` (`id`, `uuid`, `name`, `description`)
-        VALUES (#{id}, #{uuid}, #{name}, #{description})
+        INSERT INTO `role` (`id`, `uuid`, `name`, `description`, `env`)
+        VALUES (#{id}, #{uuid}, #{name}, #{description}, #{env})
     </insert>
 
     <insert id="replaceRoleUser" parameterType="neatlogic.framework.dto.RoleUserVo">
@@ -374,7 +404,8 @@ limitations under the License.
     <update id="updateRole" parameterType="neatlogic.framework.dto.RoleVo">
         UPDATE `role`
         SET `name`        = #{name},
-            `description` = #{description}
+            `description` = #{description},
+            `env`         = #{env}
         WHERE `uuid` = #{uuid}
     </update>
 
diff --git a/src/main/java/neatlogic/framework/dao/mapper/UserMapper.java b/src/main/java/neatlogic/framework/dao/mapper/UserMapper.java
index 23a6fd416116203c98d57d908b19f6836ce88a2f..399ee355ab8a25f126901a8d5e8d91d6080d9840 100644
--- a/src/main/java/neatlogic/framework/dao/mapper/UserMapper.java
+++ b/src/main/java/neatlogic/framework/dao/mapper/UserMapper.java
@@ -55,7 +55,9 @@ public interface UserMapper {
 
     UserVo getUserById(Long id);
 
-    UserVo getUserByUuid(String uuid);
+    UserVo getUserByUuidAndEnv(@Param("uuid") String uuid, @Param("env") String env);
+
+    UserVo getUserByUuid(@Param("uuid") String uuid);
 
     UserVo getUserSimpleInfoByUuid(String uuid);
 
@@ -73,7 +75,7 @@ public interface UserMapper {
 
     List<UserAuthVo> searchUserAuthByUserUuid(String userUuid);
 
-    List<UserAuthVo> searchUserAllAuthByUserAuth(UserAuthVo userAuthVo);
+    List<UserAuthVo> searchUserAllAuthByUserAuth(@Param("authenticationInfoVo") AuthenticationInfoVo authenticationInfoVo, @Param("env") String env);
 
     List<UserAuthVo> searchUserAllAuthByUserAuthCache(UserAuthVo userAuthVo);
 
diff --git a/src/main/java/neatlogic/framework/dao/mapper/UserMapper.xml b/src/main/java/neatlogic/framework/dao/mapper/UserMapper.xml
index e8a7f5efd260b9a728d0682040cc9deaed176228..10b311ffa65a01278ea0120f4b6f094baa191daa 100644
--- a/src/main/java/neatlogic/framework/dao/mapper/UserMapper.xml
+++ b/src/main/java/neatlogic/framework/dao/mapper/UserMapper.xml
@@ -166,6 +166,35 @@ limitations under the License.
     </resultMap>
 
     <select id="getUserByUuid" parameterType="java.lang.String" resultMap="userInfoMap" useCache="false">
+        SELECT a.`id`,
+        a.`uuid`,
+        a.`user_id` AS userId,
+        a.`user_name` AS userName,
+        a.`email`,
+        a.`phone`,
+        e.`password`,
+        a.`pinyin`,
+        a.`is_active` AS isActive,
+        a.`is_delete` AS isDelete,
+        a.`user_info` AS userInfo,
+        a.`vip_level` AS vipLevel,
+        b.`role_uuid` AS roleUuid,
+        r.`name` AS roleName,
+        r.`description`,
+        c.`team_uuid` AS teamUuid,
+        d.`name` AS teamName,
+        d.`upward_name_path` AS upwardNamePath,
+        a.`is_super_admin` as isSuperAdmin
+        FROM `user` a
+        LEFT JOIN `user_role` b ON a.`uuid` = b.`user_uuid`
+        LEFT JOIN `user_team` c ON a.`uuid` = c.`user_uuid`
+        LEFT JOIN `team` d ON c.`team_uuid` = d.`uuid`
+        LEFT JOIN `role` r ON b.`role_uuid` = r.`uuid`
+        LEFT JOIN `user_password` e ON a.`user_id` = e.`user_id` AND e.`is_active` = 1
+        WHERE a.`uuid` = #{uuid}
+    </select>
+
+    <select id="getUserByUuidAndEnv" parameterType="java.lang.String" resultMap="userInfoMap" useCache="false">
         SELECT a.`id`,
                a.`uuid`,
                a.`user_id`          AS userId,
@@ -191,7 +220,10 @@ limitations under the License.
                  LEFT JOIN `team` d ON c.`team_uuid` = d.`uuid`
                  LEFT JOIN `role` r ON b.`role_uuid` = r.`uuid`
                  LEFT JOIN `user_password` e ON a.`user_id` = e.`user_id` AND e.`is_active` = 1
-        WHERE a.`uuid` = #{value}
+        WHERE a.`uuid` = #{uuid}
+          AND (r.`env` = #{env}
+            or r.`env` is null)
+
     </select>
 
     <select id="getUserById" parameterType="java.lang.Long" resultMap="userInfoMap" useCache="false">
@@ -466,36 +498,39 @@ limitations under the License.
         WHERE `user_uuid` = #{userUuid}
     </select>
 
-    <select id="searchUserAllAuthByUserAuth" parameterType="neatlogic.framework.dto.UserAuthVo"
-            resultType="neatlogic.framework.dto.UserAuthVo" useCache="false">
-        SELECT
-        ra.`auth_group` AS authGroup,
-        ra.`auth`
-        FROM `user_role` ur
-        JOIN `role_authority` ra ON ur.`role_uuid` = ra.`role_uuid`
-        WHERE ur.`user_uuid` = #{userUuid}
-        <if test="auth != null and auth != ''">
-            AND ra.`auth` = #{auth}
-        </if>
-        UNION
+    <select id="searchUserAllAuthByUserAuth" resultType="neatlogic.framework.dto.UserAuthVo" useCache="false">
         SELECT
         `auth_group` AS authGroup,
         `auth`
         FROM `user_authority`
-        WHERE `user_uuid` = #{userUuid}
-        <if test="auth != null and auth != ''">
-            AND `auth` = #{auth}
+        WHERE `user_uuid` = #{authenticationInfoVo.userUuid}
+        <if test="authenticationInfoVo.roleUuidList!= null and authenticationInfoVo.roleUuidList.size() > 0">
+            UNION
+            SELECT
+            ra.`auth_group` AS authGroup,
+            ra.`auth`
+            FROM `role_authority` ra
+            <if test="env != null and env != ''">
+                JOIN `role` r on ra.role_uuid = r.uuid
+            </if>
+            <if test="env != null and env != ''">
+                AND r.`env` = #{env} or  r.`env` is null
+            </if>
+            WHERE ra.`role_uuid` in
+            <foreach collection="authenticationInfoVo.roleUuidList" open="(" close=")" separator="," item="roleUuid">
+                #{roleUuid}
+            </foreach>
         </if>
-        UNION
-        SELECT
-        c.`auth_group` AS authGroup,
-        c.`auth`
-        FROM `user_team` a
-        JOIN `team_role` b ON b.`team_uuid` = a.`team_uuid`
-        JOIN `role_authority` c ON c.`role_uuid` = b.`role_uuid`
-        WHERE a.`user_uuid` = #{userUuid}
-        <if test="auth != null and auth != ''">
-            AND `auth` = #{auth}
+        <if test="authenticationInfoVo.userUuidList != null and authenticationInfoVo.userUuidList.size() > 0">
+            UNION
+            SELECT
+            `auth_group` AS authGroup,
+            `auth`
+            FROM `user_authority`
+            WHERE `user_uuid` in
+            <foreach collection="userUuidList" open="(" close=")" separator="," item="userUuid">
+                #{userUuid}
+            </foreach>
         </if>
     </select>
 
diff --git a/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.java b/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.java
index 90892ab4a66d79e92a6eaa9153a6a1ceacec4048..732a8d148b7119fec648e6ee70700ca0851999bf 100644
--- a/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.java
+++ b/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.java
@@ -23,7 +23,7 @@ import java.util.Date;
 import java.util.List;
 
 public interface UserSessionMapper {
-    UserSessionVo getUserSessionByUserUuid(String userUuid);
+    UserSessionVo getUserSessionByTokenHash(String userUuid);
 
     int getAllOnlineUserCount(Date sessionTime);
 
@@ -48,10 +48,12 @@ public interface UserSessionMapper {
 
     int getUserSessionCountByDate(String limitDate);
 
-    int insertUserSession(@Param("userUuid") String userUuid, @Param("authInfo") String authInfo);
+    int insertUserSession(@Param("userUuid") String userUuid, @Param("tokenHash") String tokenHash, @Param("tokenCreateTime") Long tokenCreateTime, @Param("authInfo") String authInfo);
 
-    int updateUserSession(String userUuid);
+    int insertUserSessionWithoutTokenCreateTime(@Param("userUuid") String userUuid, @Param("tokenHash") String tokenHash, @Param("tokenCreateTime") Long tokenCreateTime, @Param("authInfo") String authInfo);
 
-    int deleteUserSessionByUserUuid(String userUuid);
+    int updateUserSession(String tokenHash);
+
+    int deleteUserSessionByTokenHash(String tokenHash);
 
 }
\ No newline at end of file
diff --git a/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.xml b/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.xml
index ccb8eeea9aa363870f7c580a4ee420e950a2d1d6..1a17f04ce6a37e3e593931e2b192ada3ec1dbdac 100644
--- a/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.xml
+++ b/src/main/java/neatlogic/framework/dao/mapper/UserSessionMapper.xml
@@ -19,11 +19,11 @@ limitations under the License.
 <mapper namespace="neatlogic.framework.dao.mapper.UserSessionMapper">
     <cache type="neatlogic.framework.dao.cache.NeatLogicCache" flushInterval="30000" size="100"/>
 
-    <select id="getUserSessionByUserUuid" parameterType="java.lang.String"
+    <select id="getUserSessionByTokenHash" parameterType="java.lang.String"
             resultType="neatlogic.framework.dto.UserSessionVo" useCache="false">
-        SELECT `user_uuid` as userUuid, `visit_time` as sessionTime,`auth_info` as authInfoStr
+        SELECT `user_uuid` as userUuid, `visit_time` as sessionTime,`auth_info` as authInfoStr,`token_create_time` as tokenCreateTime
         FROM `user_session`
-        WHERE `user_uuid` = #{value}
+        WHERE `token_hash` = #{value}
     </select>
 
     <select id="getOnlineUserUuidListByUserUuidListAndTeamUuidListAndRoleUuidListAndGreaterThanSessionTimeCount"
@@ -136,9 +136,16 @@ limitations under the License.
         FROM `user_session` b where b.`visit_time` &gt;= #{value}
     </select>
 
-    <insert id="insertUserSession" parameterType="java.lang.String">
-        INSERT INTO `user_session` (`user_uuid`, `visit_time`,`auth_info`)
-        VALUES (#{userUuid}, NOW(3), #{authInfo})
+    <insert id="insertUserSession">
+        INSERT INTO `user_session` (`user_uuid`, `visit_time`, `token_hash`, `token_create_time`, `auth_info`)
+        VALUES (#{userUuid}, NOW(3), #{tokenHash}, #{tokenCreateTime}, #{authInfo})
+        ON DUPLICATE KEY
+            UPDATE `visit_time` = NOW(3), `auth_info` = #{authInfo}, `token_create_time` = #{tokenCreateTime}
+    </insert>
+
+    <insert id="insertUserSessionWithoutTokenCreateTime">
+        INSERT INTO `user_session` (`user_uuid`, `visit_time`, `token_hash`, `token_create_time`, `auth_info`)
+        VALUES (#{userUuid}, NOW(3), #{tokenHash}, #{tokenCreateTime}, #{authInfo})
         ON DUPLICATE KEY
             UPDATE `visit_time` = NOW(3)
     </insert>
@@ -146,13 +153,13 @@ limitations under the License.
     <update id="updateUserSession" parameterType="java.lang.String">
         UPDATE `user_session`
         set `visit_time` = now(3)
-        WHERE `user_uuid` = #{userUuid}
+        WHERE `token_hash` = #{value}
     </update>
 
-    <delete id="deleteUserSessionByUserUuid" parameterType="java.lang.String">
+    <delete id="deleteUserSessionByTokenHash" parameterType="java.lang.String">
         DELETE
         FROM `user_session`
-        where `user_uuid` = #{value}
+        where `token_hash` = #{value}
     </delete>
 
 </mapper>
diff --git a/src/main/java/neatlogic/framework/dto/JwtVo.java b/src/main/java/neatlogic/framework/dto/JwtVo.java
index bb4d3fdee85c75545392ec065156ddf40d5d4005..2c6fe063e256655246069f0e4856b0b98e7385f2 100644
--- a/src/main/java/neatlogic/framework/dto/JwtVo.java
+++ b/src/main/java/neatlogic/framework/dto/JwtVo.java
@@ -1,33 +1,134 @@
 package neatlogic.framework.dto;
 
+import com.alibaba.fastjson.JSONObject;
+import neatlogic.framework.asynchronization.threadlocal.RequestContext;
+import neatlogic.framework.common.config.Config;
+import neatlogic.framework.common.constvalue.ApiParamType;
+import neatlogic.framework.restful.annotation.EntityField;
+import neatlogic.framework.util.Md5Util;
+import org.apache.commons.lang3.StringUtils;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Objects;
+
 public class JwtVo {
     private String cc;
     private String jwthead;
     private String jwtbody;
     private String jwtsign;
+    @EntityField(name = "创建时间", type = ApiParamType.STRING)
+    private Long tokenCreateTime;
+
+    @EntityField(name = "是否校验tokenCreateTime", type = ApiParamType.STRING)
+    private boolean isValidTokenCreateTime = true;
+
+    @EntityField(name = "token哈希", type = ApiParamType.STRING)
+    private String tokenHash;
+
+    public JwtVo() {
+
+    }
+
+    public JwtVo(UserVo checkUserVo, Long tokenCreateTime) {
+        JSONObject jwtBodyObj = new JSONObject();
+        jwtBodyObj.put("useruuid", checkUserVo.getUuid());
+        jwtBodyObj.put("userid", checkUserVo.getUserId());
+        jwtBodyObj.put("username", checkUserVo.getUserName());
+        jwtBodyObj.put("tenant", checkUserVo.getTenant());
+        jwtBodyObj.put("isSuperAdmin", checkUserVo.getIsSuperAdmin());
+        jwtBodyObj.put("createTime", tokenCreateTime);
+        if (RequestContext.get() != null && RequestContext.get().getRequest() != null) {
+            String env = RequestContext.get().getRequest().getHeader("Env");
+            if (StringUtils.isNotBlank(env)) {
+                jwtBodyObj.put("env", env);
+            }
+        }
+        this.setTokenCreateTime(tokenCreateTime);
+        jwtbody = Base64.getUrlEncoder().encodeToString(jwtBodyObj.toJSONString().getBytes());
+    }
+
+    public JwtVo(String[] jwtParts) {
+        this.jwthead = jwtParts[0];
+        this.jwtbody = jwtParts[1];
+        this.jwtsign = jwtParts[2];
+    }
+
     public String getCc() {
         return cc;
     }
+
     public void setCc(String cc) {
         this.cc = cc;
     }
+
     public String getJwthead() {
+        if (StringUtils.isBlank(jwthead)) {
+            JSONObject jwtHeadObj = new JSONObject();
+            jwtHeadObj.put("alg", "HS256");
+            jwtHeadObj.put("typ", "JWT");
+            jwthead = Base64.getUrlEncoder().encodeToString(jwtHeadObj.toJSONString().getBytes());
+        }
         return jwthead;
     }
-    public void setJwthead(String jwthead) {
-        this.jwthead = jwthead;
-    }
+
     public String getJwtbody() {
         return jwtbody;
     }
+
+    public void setJwthead(String jwthead) {
+        this.jwthead = jwthead;
+    }
+
     public void setJwtbody(String jwtbody) {
         this.jwtbody = jwtbody;
     }
+
     public String getJwtsign() {
         return jwtsign;
     }
+
     public void setJwtsign(String jwtsign) {
         this.jwtsign = jwtsign;
     }
-    
+
+    public Long getTokenCreateTime() {
+        return tokenCreateTime;
+    }
+
+    public void setTokenCreateTime(Long tokenCreateTime) {
+        this.tokenCreateTime = tokenCreateTime;
+    }
+
+    public String getTokenHash() {
+        if (StringUtils.isBlank(tokenHash)) {
+            String jwtBody = new String(Base64.getUrlDecoder().decode(getJwtbody()), StandardCharsets.UTF_8);
+            JSONObject jwtBodyObj = JSONObject.parseObject(jwtBody);
+            JSONObject tokenJson = new JSONObject();
+            tokenJson.put("tenant", jwtBodyObj.getString("tenant"));
+            tokenJson.put("useruuid", jwtBodyObj.getString("useruuid"));
+            if (jwtBodyObj.containsKey("env")) {
+                tokenJson.put("env", jwtBodyObj.getString("env"));
+            }
+            tokenHash = Md5Util.encryptMD5(tokenJson.toJSONString());
+        }
+        return tokenHash;
+    }
+
+    public String getEnv() {
+        String jwtBody = new String(Base64.getUrlDecoder().decode(getJwtbody()), StandardCharsets.UTF_8);
+        JSONObject jwtBodyObj = JSONObject.parseObject(jwtBody);
+        return jwtBodyObj.getString("env");
+    }
+
+    public void setValidTokenCreateTime(boolean validTokenCreateTime) {
+        isValidTokenCreateTime = validTokenCreateTime;
+    }
+
+    public boolean validTokenCreateTime(Long userSessionTokenCreateTime) {
+        if (Config.ENABLE_NO_SECRET() || !isValidTokenCreateTime) {
+            return true;
+        }
+        return Objects.equals(userSessionTokenCreateTime, getTokenCreateTime());
+    }
 }
diff --git a/src/main/java/neatlogic/framework/dto/RoleVo.java b/src/main/java/neatlogic/framework/dto/RoleVo.java
index f006dbd728030cc556e818c5630cb2c56b609802..40d0060608efa2601f4cfb37de2879cb6d415e64 100644
--- a/src/main/java/neatlogic/framework/dto/RoleVo.java
+++ b/src/main/java/neatlogic/framework/dto/RoleVo.java
@@ -43,6 +43,9 @@ public class RoleVo extends BasePageVo implements Serializable {
     @EntityField(name = "角色描述",
             type = ApiParamType.STRING)
     private String description;
+    @EntityField(name = "环境",
+            type = ApiParamType.STRING)
+    private String env;
     private int userCount;
     private int teamCount;
     private String authGroup;
@@ -174,4 +177,12 @@ public class RoleVo extends BasePageVo implements Serializable {
     public void setTeamList(List<TeamVo> teamList) {
         this.teamList = teamList;
     }
+
+    public String getEnv() {
+        return env;
+    }
+
+    public void setEnv(String env) {
+        this.env = env;
+    }
 }
diff --git a/src/main/java/neatlogic/framework/dto/UserAuthVo.java b/src/main/java/neatlogic/framework/dto/UserAuthVo.java
index 1324759dde6439286caef5e075204ff99eb75a87..5faca16a73c2801fd00420f7c5f4d856b83c0bb1 100644
--- a/src/main/java/neatlogic/framework/dto/UserAuthVo.java
+++ b/src/main/java/neatlogic/framework/dto/UserAuthVo.java
@@ -24,6 +24,9 @@ public class UserAuthVo extends BasePageVo implements Serializable {
     @EntityField(name = "权限名", type = ApiParamType.STRING)
     private String authName;
 
+    @EntityField(name = "环境", type = ApiParamType.STRING)
+    private String env;
+
 
     public UserAuthVo() {
 
@@ -31,6 +34,9 @@ public class UserAuthVo extends BasePageVo implements Serializable {
 
     public UserAuthVo(String _userUuid) {
         this.userUuid = _userUuid;
+        if (UserContext.get() != null) {
+            this.env = UserContext.get().getEnv();
+        }
     }
 
     public UserAuthVo(String _userUuid, String _auth) {
@@ -84,4 +90,11 @@ public class UserAuthVo extends BasePageVo implements Serializable {
         return authName;
     }
 
+    public String getEnv() {
+        return env;
+    }
+
+    public void setEnv(String env) {
+        this.env = env;
+    }
 }
diff --git a/src/main/java/neatlogic/framework/dto/UserSessionVo.java b/src/main/java/neatlogic/framework/dto/UserSessionVo.java
index 96532636613c8cd645f8be3f1fe694adeb9c9e35..630dd4edbce280b3fa906001ad1c074b1882951b 100644
--- a/src/main/java/neatlogic/framework/dto/UserSessionVo.java
+++ b/src/main/java/neatlogic/framework/dto/UserSessionVo.java
@@ -15,6 +15,9 @@ public class UserSessionVo {
     @EntityField(name = "权限", type = ApiParamType.STRING)
     private AuthenticationInfoVo authInfo;
 
+    @EntityField(name = "token创建时间", type = ApiParamType.LONG)
+    private Long tokenCreateTime;
+
     public UserSessionVo(String userUuid, Date sessionTime) {
         this.userUuid = userUuid;
         this.sessionTime = sessionTime;
@@ -54,4 +57,12 @@ public class UserSessionVo {
     public void setAuthInfoStr(String authInfoStr) {
         this.authInfoStr = authInfoStr;
     }
+
+    public Long getTokenCreateTime() {
+        return tokenCreateTime;
+    }
+
+    public void setTokenCreateTime(Long tokenCreateTime) {
+        this.tokenCreateTime = tokenCreateTime;
+    }
 }
diff --git a/src/main/java/neatlogic/framework/dto/UserVo.java b/src/main/java/neatlogic/framework/dto/UserVo.java
index 3a9402359ca4d6bcae6b22a3556b8aa1ab84f391..7b70f59ff1cf3f49c9b31d96b7174e5181a694f7 100644
--- a/src/main/java/neatlogic/framework/dto/UserVo.java
+++ b/src/main/java/neatlogic/framework/dto/UserVo.java
@@ -130,6 +130,10 @@ public class UserVo extends BaseEditorVo implements Serializable {
     private Boolean isSuperAdmin;
     private String source;
 
+    @JSONField(serialize = false)
+    @EntityField(name = "jwtVo", type = ApiParamType.BOOLEAN)
+    private JwtVo jwtVo;
+
     public UserVo() {
 
     }
@@ -587,4 +591,12 @@ public class UserVo extends BaseEditorVo implements Serializable {
     public void setSource(String source) {
         this.source = source;
     }
+
+    public JwtVo getJwtVo() {
+        return jwtVo;
+    }
+
+    public void setJwtVo(JwtVo jwtVo) {
+        this.jwtVo = jwtVo;
+    }
 }
diff --git a/src/main/java/neatlogic/framework/filter/JsonWebTokenValidFilter.java b/src/main/java/neatlogic/framework/filter/JsonWebTokenValidFilter.java
index dae72ab15e549c66c309315b499fc4eeb92eedf6..b74f0adf8dabb5bfef0a9bbc1c3b4651f10356a5 100644
--- a/src/main/java/neatlogic/framework/filter/JsonWebTokenValidFilter.java
+++ b/src/main/java/neatlogic/framework/filter/JsonWebTokenValidFilter.java
@@ -25,13 +25,14 @@ import neatlogic.framework.common.util.TenantUtil;
 import neatlogic.framework.dao.cache.UserSessionCache;
 import neatlogic.framework.dao.mapper.UserSessionMapper;
 import neatlogic.framework.dto.AuthenticationInfoVo;
+import neatlogic.framework.dto.JwtVo;
 import neatlogic.framework.dto.UserSessionVo;
 import neatlogic.framework.dto.UserVo;
 import neatlogic.framework.filter.core.ILoginAuthHandler;
 import neatlogic.framework.filter.core.LoginAuthFactory;
 import neatlogic.framework.login.core.ILoginPostProcessor;
 import neatlogic.framework.login.core.LoginPostProcessorFactory;
-import neatlogic.framework.service.AuthenticationInfoService;
+import neatlogic.framework.util.$;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
@@ -46,11 +47,8 @@ import java.net.URLDecoder;
 import java.util.Date;
 
 public class JsonWebTokenValidFilter extends OncePerRequestFilter {
-    // private ServletContext context;
     @Resource
     private UserSessionMapper userSessionMapper;
-    @Resource
-    private AuthenticationInfoService authenticationInfoService;
 
     /**
      * Default constructor.
@@ -71,9 +69,7 @@ public class JsonWebTokenValidFilter extends OncePerRequestFilter {
         Cookie[] cookies = request.getCookies();
         String timezone = "+8:00";
         boolean isUnExpired = false;
-        boolean hasTenant = false;
         UserVo userVo = null;
-        JSONObject redirectObj = new JSONObject();
         String authType = "default";
         ILoginAuthHandler defaultLoginAuth = LoginAuthFactory.getLoginAuth(authType);
         ILoginAuthHandler loginAuth = defaultLoginAuth;
@@ -90,96 +86,123 @@ public class JsonWebTokenValidFilter extends OncePerRequestFilter {
 
         //判断租户
         try {
-            //logger.info("requestUrl:"+request.getRequestURI()+" ------------------------------------------------ start");
             String tenant = request.getHeader("Tenant");
             //认证过程中可能需要从request中获取inputStream，为了后续spring也可以获取inputStream，需要做一层cached
             HttpServletRequest cachedRequest = new CachedBodyHttpServletRequest(request);
-            if (TenantUtil.hasTenant(tenant)) {
-                hasTenant = true;
-                TenantContext.init();
-                TenantContext.get().switchTenant(tenant);
-                logger.warn("======= defaultLoginAuth: ");
-                //先按 default 认证，不存在才根据具体 AuthType 认证用户
-                userVo = defaultLoginAuth.auth(cachedRequest, response);
-                if (userVo == null) {
-                    //获取认证插件名,优先使用请求方指定的认证
-                    String authTypeHeader = request.getHeader("AuthType");
-                    if (StringUtils.isNotBlank(authTypeHeader)) {
-                        authType = authTypeHeader;
-                    } else {
-                        authType = Config.LOGIN_AUTH_TYPE();
-                    }
-                    logger.info("AuthType: " + authType);
-                    if (StringUtils.isNotBlank(authType)) {
-                        loginAuth = LoginAuthFactory.getLoginAuth(authType);
-                        if (loginAuth != null) {
-                            userVo = loginAuth.auth(cachedRequest, response);
-                            if (userVo != null && StringUtils.isNotBlank(userVo.getUuid())) {
-                                logger.warn("======= userUuid: " + userVo.getUuid());
-                                isUnExpired = userExpirationValid(userVo, timezone, request, response);
+            if (!TenantUtil.hasTenant(tenant)) {
+                returnErrorResponseJson($.t("nff.jsonwebtokenvalidfilter.dofilterinternal.lacktenant", tenant), 521, response, loginAuth.directUrl());
+                return;
+            }
+            TenantContext.init();
+            TenantContext.get().switchTenant(tenant);
+            logger.warn("======= defaultLoginAuth: ");
+            //先按 default 认证，不存在才根据具体 AuthType 认证用户
+            userVo = defaultLoginAuth.auth(cachedRequest, response);
+            if (userVo == null) {
+                //获取认证插件名,优先使用请求方指定的认证
+                String authTypeHeader = request.getHeader("AuthType");
+                if (StringUtils.isNotBlank(authTypeHeader)) {
+                    authType = authTypeHeader;
+                } else {
+                    authType = Config.LOGIN_AUTH_TYPE();
+                }
+                logger.info("AuthType: " + authType);
+                if (StringUtils.isNotBlank(authType)) {
+                    loginAuth = LoginAuthFactory.getLoginAuth(authType);
+                    if (loginAuth != null) {
+                        userVo = loginAuth.auth(cachedRequest, response);
+                        if (userVo != null && StringUtils.isNotBlank(userVo.getUuid())) {
+                            logger.warn("======= getUser succeed: " + userVo.getUuid());
+                            isUnExpired = userExpirationValid(userVo, timezone, request, response);
+                            if (isUnExpired) {
                                 for (ILoginPostProcessor loginPostProcessor : LoginPostProcessorFactory.getLoginPostProcessorSet()) {
                                     loginPostProcessor.loginAfterInitialization();
                                 }
                             }
+                        } else {
+                            returnErrorResponseJson($.t("nff.jsonwebtokenvalidfilter.dofilterinternal.authfailed", loginAuth.getType()), 523, response, loginAuth.directUrl());
+                            return;
                         }
+                    } else {
+                        returnErrorResponseJson($.t("nff.jsonwebtokenvalidfilter.dofilterinternal.authtypeinvalid", authType), 522, response, defaultLoginAuth.directUrl());
+                        return;
                     }
                 } else {
-                    isUnExpired = userExpirationValid(userVo, timezone, request, response);
-                    logger.warn("======= getAuthenticationInfoService succeed: " + userVo.getUuid());
+                    returnErrorResponseJson($.t("nff.jsonwebtokenvalidfilter.dofilterinternal.authfailed", loginAuth.getType()), 523, response, defaultLoginAuth.directUrl());
+                    return;
                 }
+            } else {
+                logger.warn("======= getUser succeed: " + userVo.getUuid());
+                isUnExpired = userExpirationValid(userVo, timezone, request, response);
             }
 
-            if (hasTenant && userVo != null && isUnExpired) {
-                //兼容“处理response,对象toString可能会异常”的场景，过了filter，应该是520异常
-                try {
-                    filterChain.doFilter(cachedRequest, response);
-                } catch (Exception ex) {
-                    logger.error(ex.getMessage(), ex);
-                    response.setStatus(520);
-                    redirectObj.put("Status", "ERROR");
-                    redirectObj.put("Message", ex.getMessage());
-                    response.setContentType(Config.RESPONSE_TYPE_JSON);
-                    response.getWriter().print(redirectObj.toJSONString());
-                }
+            //回话超时
+            if (!isUnExpired) {
+                returnErrorResponseJson($.t("nff.jsonwebtokenvalidfilter.dofilterinternal.unexpired"), 527, response, loginAuth.directUrl());
+                return;
             } else {
-                if (!hasTenant) {
-                    response.setStatus(521);
-                    redirectObj.put("Status", "FAILED");
-                    redirectObj.put("Message", "租户 '" + tenant + "' 不存在或已被禁用");
-                    logger.warn("======= login error: 租户 '" + tenant + "' 不存在或已被禁用");
-                } else if (userVo == null) {
-                    response.setStatus(522);
-                    redirectObj.put("Status", "FAILED");
-                    if (loginAuth == null) {
-                        redirectObj.put("Message", "找不到认证方式 '" + authType + "'");
-                        logger.warn("======= login error: 找不到认证方式 '" + authType + "'");
-                    } else {
-                        redirectObj.put("Message", "认证失败(" + loginAuth.getType() + ")，请重新登录");
-                        logger.warn("======= login error: 通过" + loginAuth.getType() + "认证失败，请重新登录");
-                    }
-                    redirectObj.put("DirectUrl", loginAuth != null ? loginAuth.directUrl() : defaultLoginAuth.directUrl());
-                } else {
-                    response.setStatus(527);
-                    redirectObj.put("Status", "FAILED");
-                    redirectObj.put("Message", "会话已超时或已被终止，请重新登录");
-                    logger.warn("======= login error: 会话已超时或已被终止，请重新登录");
-                    redirectObj.put("DirectUrl", loginAuth != null ? loginAuth.directUrl() : defaultLoginAuth.directUrl());
-                }
-                removeAuthCookie(response);
-                response.setContentType(Config.RESPONSE_TYPE_JSON);
-                response.getWriter().print(redirectObj.toJSONString());
+                logger.warn("======= is Expired");
+            }
+
+            try {
+                filterChain.doFilter(cachedRequest, response);
+            } catch (Exception ex) {
+                //兼容“处理response,对象toString可能会异常”的场景，过了filter，应该是520异常
+                logger.error(ex.getMessage(), ex);
+                returnErrorResponseJson(ex.getMessage(), 520, response, false);
             }
         } catch (Exception ex) {
-            logger.error("认证失败", ex);
-            response.setStatus(522);
-            redirectObj.put("Status", "FAILED");
-            redirectObj.put("Message", ex.getMessage());
-            redirectObj.put("DirectUrl", loginAuth != null ? loginAuth.directUrl() : defaultLoginAuth.directUrl());
+            logger.error($.t("nff.jsonwebtokenvalidfilter.dofilterinternal.authfailederrorlog"), ex);
+            returnErrorResponseJson(ex.getMessage(), 524, response, loginAuth != null ? loginAuth.directUrl() : defaultLoginAuth.directUrl());
+        }
+    }
+
+    /**
+     * 返回异常JSON
+     *
+     * @param message      异常信息
+     * @param responseCode 异常码
+     * @param response     相应
+     * @param directUrl    前端跳转url
+     * @throws IOException 异常
+     */
+    private void returnErrorResponseJson(String message, Integer responseCode, HttpServletResponse response, boolean isRemoveCookie, String directUrl) throws IOException {
+        JSONObject redirectObj = new JSONObject();
+        redirectObj.put("Status", "FAILED");
+        redirectObj.put("Message", message);
+        logger.warn("======login error:" + message);
+        response.setStatus(responseCode);
+        redirectObj.put("DirectUrl", directUrl);
+        if (isRemoveCookie) {
             removeAuthCookie(response);
-            response.setContentType(Config.RESPONSE_TYPE_JSON);
-            response.getWriter().print(redirectObj.toJSONString());
         }
-        //logger.info("requestUrl:"+request.getRequestURI()+" ------------------------------------------------ end");
+        response.setContentType(Config.RESPONSE_TYPE_JSON);
+        response.getWriter().print(redirectObj.toJSONString());
+    }
+
+    /**
+     * 返回异常JSON
+     *
+     * @param message      异常信息
+     * @param responseCode 异常码
+     * @param response     相应
+     * @param directUrl    前端跳转url
+     * @throws IOException 异常
+     */
+    private void returnErrorResponseJson(String message, Integer responseCode, HttpServletResponse response, String directUrl) throws IOException {
+        returnErrorResponseJson(message, responseCode, response, true, directUrl);
+    }
+
+    /**
+     * 返回异常JSON
+     *
+     * @param message      异常信息
+     * @param responseCode 异常码
+     * @param response     相应
+     * @throws IOException 异常
+     */
+    private void returnErrorResponseJson(String message, Integer responseCode, HttpServletResponse response, boolean isRemoveCookie) throws IOException {
+        returnErrorResponseJson(message, responseCode, response, isRemoveCookie, null);
     }
 
     /**
@@ -200,24 +223,23 @@ public class JsonWebTokenValidFilter extends OncePerRequestFilter {
      * @return 不超时返回权限信息，否则返回null
      */
     private boolean userExpirationValid(UserVo userVo, String timezone, HttpServletRequest request, HttpServletResponse response) {
-        String userUuid = userVo.getUuid();
-        String tenant = TenantContext.get().getTenantUuid();
-        AuthenticationInfoVo authenticationInfo = (AuthenticationInfoVo) UserSessionCache.getItem(tenant, userUuid);
+        JwtVo jwt = userVo.getJwtVo();
+        AuthenticationInfoVo authenticationInfo = (AuthenticationInfoVo) UserSessionCache.getItem(jwt.getTokenHash());
         if (authenticationInfo == null || authenticationInfo.getUserUuid() == null) {
-            UserSessionVo userSessionVo = userSessionMapper.getUserSessionByUserUuid(userUuid);
-            if (null != userSessionVo) {
+            UserSessionVo userSessionVo = userSessionMapper.getUserSessionByTokenHash(jwt.getTokenHash());
+            if (null != userSessionVo && (jwt.validTokenCreateTime(userSessionVo.getTokenCreateTime()))) {
                 Date visitTime = userSessionVo.getSessionTime();
                 Date now = new Date();
                 int expire = Config.USER_EXPIRETIME();
                 long expireTime = expire * 60L * 1000L + visitTime.getTime();
                 if (now.getTime() < expireTime) {
-                    userSessionMapper.updateUserSession(userUuid);
+                    userSessionMapper.updateUserSession(jwt.getTokenHash());
                     authenticationInfo = userSessionVo.getAuthInfo();
-                    UserSessionCache.addItem(tenant, userUuid, authenticationInfo);
+                    UserSessionCache.addItem(jwt.getTokenHash(), authenticationInfo);
                     UserContext.init(userVo, authenticationInfo, timezone, request, response);
                     return true;
                 }
-                userSessionMapper.deleteUserSessionByUserUuid(userUuid);
+                userSessionMapper.deleteUserSessionByTokenHash(jwt.getTokenHash());
             }
         } else {
             UserContext.init(userVo, authenticationInfo, timezone, request, response);
diff --git a/src/main/java/neatlogic/framework/filter/core/ILoginAuthHandler.java b/src/main/java/neatlogic/framework/filter/core/ILoginAuthHandler.java
index c36242b513c564b94386a718b1d53e72d9d90e62..fe7e8b28d8529a035ab343db914f66d9505c3fd8 100644
--- a/src/main/java/neatlogic/framework/filter/core/ILoginAuthHandler.java
+++ b/src/main/java/neatlogic/framework/filter/core/ILoginAuthHandler.java
@@ -9,39 +9,40 @@ import javax.servlet.http.HttpServletResponse;
 public interface ILoginAuthHandler {
 
     /**
-    * @Author 89770
-    * @Time 2020年11月19日  
-    * @Description: 认证类型
-    * @Param 
-    * @return
+     * @return
+     * @Author 89770
+     * @Time 2020年11月19日
+     * @Description: 认证类型
+     * @Param
      */
     String getType();
-    
+
     /**
      * 资源权限拦截
-    * @Author 89770
-    * @Time 2020年11月19日  
-    * @Description: 认证逻辑
-    * @Param 
-    * @return
+     *
+     * @return
+     * @Author 89770
+     * @Time 2020年11月19日
+     * @Description: 认证逻辑
+     * @Param
      */
-    UserVo auth(HttpServletRequest request,HttpServletResponse response) throws Exception;
+    UserVo auth(HttpServletRequest request, HttpServletResponse response) throws Exception;
 
 
     /**
      * 登录认证
+     *
      * @param userVo
      * @param resultJson
      * @return
      */
     UserVo login(UserVo userVo, JSONObject resultJson);
-    
+
     /**
-    * @Author 89770
-    * @Time 2020年11月19日  
-    * @Description: 跳转url ，如果为null，则跳自带的登录页
-    * @Param 
-    * @return
+     * @Author 89770
+     * @Time 2020年11月19日
+     * @Description: 跳转url ，如果为null，则跳自带的登录页
+     * @Param
      */
     String directUrl();
 
@@ -50,4 +51,9 @@ public interface ILoginAuthHandler {
      */
     String logout();
 
+    /**
+     * 是否需要更新校验token createTime
+     */
+    boolean isValidTokenCreateTime();
+
 }
diff --git a/src/main/java/neatlogic/framework/filter/core/LoginAuthHandlerBase.java b/src/main/java/neatlogic/framework/filter/core/LoginAuthHandlerBase.java
index e1c60e4ba36d01da67a8ab29497c794047532552..e227ebff734578259865d866cfe604c21475aafc 100644
--- a/src/main/java/neatlogic/framework/filter/core/LoginAuthHandlerBase.java
+++ b/src/main/java/neatlogic/framework/filter/core/LoginAuthHandlerBase.java
@@ -17,7 +17,6 @@
 package neatlogic.framework.filter.core;
 
 import com.alibaba.fastjson.JSONObject;
-import neatlogic.framework.asynchronization.threadlocal.TenantContext;
 import neatlogic.framework.asynchronization.threadlocal.UserContext;
 import neatlogic.framework.common.config.Config;
 import neatlogic.framework.dao.cache.UserSessionCache;
@@ -100,9 +99,16 @@ public abstract class LoginAuthHandlerBase implements ILoginAuthHandler {
             logger.warn("======= myAuth: " + getType() + " ===== " + userVo.getUserId());
             JwtVo jwtVo = buildJwt(userVo);
             setResponseAuthCookie(response, request, tenant, jwtVo);
-            //userVo.setRoleUuidList(roleMapper.getRoleUuidListByUserUuid(userVo.getUuid()));//TODO 是否可以去掉，得排查后续用到的逻辑，换成使用authenticationInfoVo
-            AuthenticationInfoVo authenticationInfoVo = authenticationInfoService.getAuthenticationInfo(userVo.getUuid());
-            userSessionMapper.insertUserSession(userVo.getUuid(), JSONObject.toJSONString(authenticationInfoVo));
+            AuthenticationInfoVo authenticationInfoVo = authenticationInfoService.getAuthenticationInfo(userVo.getUuid(), request.getHeader("Env"));
+            if(isValidTokenCreateTime()) {
+                userSessionMapper.insertUserSession(userVo.getUuid(), jwtVo.getTokenHash(), jwtVo.getTokenCreateTime(), JSONObject.toJSONString(authenticationInfoVo));
+            }else{
+                jwtVo.setValidTokenCreateTime(isValidTokenCreateTime());
+                if(UserSessionCache.getItem(jwtVo.getTokenHash()) == null) {
+                    userSessionMapper.insertUserSessionWithoutTokenCreateTime(userVo.getUuid(), jwtVo.getTokenHash(), jwtVo.getTokenCreateTime(), JSONObject.toJSONString(authenticationInfoVo));
+                }
+            }
+            userVo.setJwtVo(jwtVo);
         }
         return userVo;
     }
@@ -117,33 +123,16 @@ public abstract class LoginAuthHandlerBase implements ILoginAuthHandler {
      * @throws Exception 异常
      */
     public static JwtVo buildJwt(UserVo checkUserVo) throws Exception {
-        JSONObject jwtHeadObj = new JSONObject();
-        jwtHeadObj.put("alg", "HS256");
-        jwtHeadObj.put("typ", "JWT");
-
-        JSONObject jwtBodyObj = new JSONObject();
-        jwtBodyObj.put("useruuid", checkUserVo.getUuid());
-        jwtBodyObj.put("userid", checkUserVo.getUserId());
-        jwtBodyObj.put("username", checkUserVo.getUserName());
-        jwtBodyObj.put("tenant", checkUserVo.getTenant());
-        jwtBodyObj.put("isSuperAdmin", checkUserVo.getIsSuperAdmin());
-//        if (CollectionUtils.isNotEmpty(checkUserVo.getRoleUuidList())) {
-//            jwtBodyObj.put("rolelist", checkUserVo.getRoleUuidList());
-//        }
-
-        String jwthead = Base64.getUrlEncoder().encodeToString(jwtHeadObj.toJSONString().getBytes());
-        String jwtbody = Base64.getUrlEncoder().encodeToString(jwtBodyObj.toJSONString().getBytes());
-
+        Long tokenCreateTime = System.currentTimeMillis();
+        JwtVo jwtVo = new JwtVo(checkUserVo,tokenCreateTime);
         SecretKeySpec signingKey = new SecretKeySpec(Config.JWT_SECRET().getBytes(), "HmacSHA1");
         Mac mac;
-
         mac = Mac.getInstance("HmacSHA1");
         mac.init(signingKey);
-        byte[] rawHmac = mac.doFinal((jwthead + "." + jwtbody).getBytes());
+        byte[] rawHmac = mac.doFinal((jwtVo.getJwthead() + "." + jwtVo.getJwtbody()).getBytes());
         String jwtsign = Base64.getUrlEncoder().encodeToString(rawHmac);
-
         // 压缩cookie内容
-        String c = "Bearer_" + jwthead + "." + jwtbody + "." + jwtsign;
+        String c = "Bearer_" + jwtVo.getJwthead() + "." + jwtVo.getJwtbody() + "." + jwtsign;
         checkUserVo.setAuthorization(c);
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         GZIPOutputStream gzipOutputStream = new GZIPOutputStream(bos);
@@ -151,10 +140,7 @@ public abstract class LoginAuthHandlerBase implements ILoginAuthHandler {
         gzipOutputStream.close();
         String cc = Base64.getEncoder().encodeToString(bos.toByteArray());
         bos.close();
-        JwtVo jwtVo = new JwtVo();
         jwtVo.setCc(cc);
-        jwtVo.setJwthead(jwthead);
-        jwtVo.setJwtbody(jwtbody);
         jwtVo.setJwtsign(jwtsign);
         return jwtVo;
     }
@@ -189,9 +175,9 @@ public abstract class LoginAuthHandlerBase implements ILoginAuthHandler {
 
     @Override
     public String logout() {
-        UserSessionCache.removeItem(TenantContext.get().getTenantUuid(), UserContext.get().getUserUuid(true));
-        userSessionMapper.deleteUserSessionByUserUuid(UserContext.get().getUserUuid(true));
-        String url = null;
+        UserSessionCache.removeItem(UserContext.get().getTokenHash());
+        userSessionMapper.deleteUserSessionByTokenHash(UserContext.get().getTokenHash());
+        String url;
         try {
             url = myLogout();
         } catch (IOException e) {
@@ -240,4 +226,9 @@ public abstract class LoginAuthHandlerBase implements ILoginAuthHandler {
     public UserVo myLogin(UserVo userVo, JSONObject resultJson) {
         return null;
     }
+
+    @Override
+    public boolean isValidTokenCreateTime(){
+        return true;
+    }
 }
diff --git a/src/main/java/neatlogic/framework/service/AuthenticationInfoService.java b/src/main/java/neatlogic/framework/service/AuthenticationInfoService.java
index 80488249e7e17ecfa6f6cddfebf677579dbd2d56..dcbbe6ca27c4054b7a3fd98d5a575c7cf5bd038a 100644
--- a/src/main/java/neatlogic/framework/service/AuthenticationInfoService.java
+++ b/src/main/java/neatlogic/framework/service/AuthenticationInfoService.java
@@ -28,15 +28,33 @@ public interface AuthenticationInfoService {
 
     /**
      * 查询用户鉴权时，需要用到到userUuid、teamUuidList、roleUuidList，其中roleUuidList包含用户所在分组的拥护角色列表。
-     * @param userUuid
-     * @return
+     *
+     * @param userUuid 用户uuid
      */
     AuthenticationInfoVo getAuthenticationInfo(String userUuid);
 
+
+    /**
+     * 查询用户鉴权时，需要用到到userUuid、teamUuidList、roleUuidList，其中roleUuidList包含用户所在分组的拥护角色列表。
+     *
+     * @param userUuid 用户uuid
+     * @param env 环境
+     */
+    AuthenticationInfoVo getAuthenticationInfo(String userUuid, String env);
+
     /**
      * 查询用户鉴权时，需要用到到userUuidList、teamUuidList、roleUuidList，其中roleUuidList包含用户所在分组的拥护角色列表。
-     * @param userUuidList
-     * @return
+     *
+     * @param userUuidList 用户uuid列表
      */
     AuthenticationInfoVo getAuthenticationInfo(List<String> userUuidList);
+
+
+    /**
+     * 查询用户鉴权时，需要用到到userUuidList、teamUuidList、roleUuidList，其中roleUuidList包含用户所在分组的拥护角色列表。
+     *
+     * @param userUuidList 用户uuid列表
+     * @param env 环境
+     */
+    AuthenticationInfoVo getAuthenticationInfo(List<String> userUuidList, String env);
 }
diff --git a/src/main/java/neatlogic/framework/service/AuthenticationInfoServiceImpl.java b/src/main/java/neatlogic/framework/service/AuthenticationInfoServiceImpl.java
index 4581500295d231c3c3668708bc54ffc23cc0e779..92eedb028874840cfbe3dd72235e6c5efe3bfcce 100644
--- a/src/main/java/neatlogic/framework/service/AuthenticationInfoServiceImpl.java
+++ b/src/main/java/neatlogic/framework/service/AuthenticationInfoServiceImpl.java
@@ -51,19 +51,40 @@ public class AuthenticationInfoServiceImpl implements AuthenticationInfoService
 
     /**
      * 查询用户鉴权时，需要用到到userUuid、teamUuidList、roleUuidList，其中roleUuidList包含用户所在分组的拥护角色列表。
-     * @param userUuid
-     * @return
+     *
+     * @param userUuid 用户uuid
      */
     @Override
-    public AuthenticationInfoVo getAuthenticationInfo(String userUuid){
+    public AuthenticationInfoVo getAuthenticationInfo(String userUuid) {
         List<String> teamUuidList = teamMapper.getTeamUuidListByUserUuid(userUuid);
         List<String> userRoleUuidList = roleMapper.getRoleUuidListByUserUuid(userUuid);
         Set<String> roleUuidSet = new HashSet<>(userRoleUuidList);
+        getTeamUuidListAndRoleUuidList(teamUuidList, roleUuidSet, null);
+        return new AuthenticationInfoVo(userUuid, teamUuidList, new ArrayList<>(roleUuidSet));
+    }
+
+
+    @Override
+    public AuthenticationInfoVo getAuthenticationInfo(String userUuid, String env) {
+        List<String> teamUuidList = teamMapper.getTeamUuidListByUserUuid(userUuid);
+        List<String> userRoleUuidList = roleMapper.getRoleUuidListByUserUuidAndEnv(userUuid, env);
+        Set<String> roleUuidSet = new HashSet<>(userRoleUuidList);
+        getTeamUuidListAndRoleUuidList(teamUuidList, roleUuidSet, env);
+        return new AuthenticationInfoVo(userUuid, teamUuidList, new ArrayList<>(roleUuidSet));
+    }
+
+    /**
+     * 补充teamUuidList roleUuidSet
+     *
+     * @param teamUuidList 组uuid列表
+     * @param roleUuidSet  角色uuid列表
+     */
+    private void getTeamUuidListAndRoleUuidList(List<String> teamUuidList, Set<String> roleUuidSet, String env) {
         if (CollectionUtils.isNotEmpty(teamUuidList)) {
-            List<String> teamRoleUuidList = roleMapper.getRoleUuidListByTeamUuidListAndCheckedChildren(teamUuidList, null);
+            List<String> teamRoleUuidList = roleMapper.getRoleUuidListByTeamUuidListAndEnv(teamUuidList, env);
             roleUuidSet.addAll(teamRoleUuidList);
             Set<String> upwardUuidSet = new HashSet<>();
-            List<TeamVo> teamList =  teamMapper.getTeamByUuidList(teamUuidList);
+            List<TeamVo> teamList = teamMapper.getTeamByUuidList(teamUuidList);
             for (TeamVo teamVo : teamList) {
                 String upwardUuidPath = teamVo.getUpwardUuidPath();
                 if (StringUtils.isNotBlank(upwardUuidPath)) {
@@ -76,20 +97,19 @@ public class AuthenticationInfoServiceImpl implements AuthenticationInfoService
                 }
             }
             if (CollectionUtils.isNotEmpty(upwardUuidSet)) {
-                teamRoleUuidList = roleMapper.getRoleUuidListByTeamUuidListAndCheckedChildren(new ArrayList<>(upwardUuidSet), 1);
+                teamRoleUuidList = roleMapper.getRoleUuidListByTeamUuidListAndCheckedChildrenAndEnv(new ArrayList<>(upwardUuidSet), 1, env);
                 roleUuidSet.addAll(teamRoleUuidList);
             }
         }
-        return new AuthenticationInfoVo(userUuid, teamUuidList, new ArrayList<>(roleUuidSet));
     }
 
     /**
      * 查询用户鉴权时，需要用到到userUuidList、teamUuidList、roleUuidList，其中roleUuidList包含用户所在分组的拥护角色列表。
-     * @param userUuidList
-     * @return
+     *
+     * @param userUuidList 用户uuid列表
      */
     @Override
-    public AuthenticationInfoVo getAuthenticationInfo(List<String> userUuidList){
+    public AuthenticationInfoVo getAuthenticationInfo(List<String> userUuidList) {
         Set<String> teamUuidSet = new HashSet<>();
         Set<String> roleUuidSet = new HashSet<>();
         for (String userUuid : userUuidList) {
@@ -97,27 +117,21 @@ public class AuthenticationInfoServiceImpl implements AuthenticationInfoService
             teamUuidSet.addAll(teamUuidList);
             List<String> userRoleUuidList = roleMapper.getRoleUuidListByUserUuid(userUuid);
             roleUuidSet.addAll(userRoleUuidList);
-            if (CollectionUtils.isNotEmpty(teamUuidList)) {
-                List<String> teamRoleUuidList = roleMapper.getRoleUuidListByTeamUuidListAndCheckedChildren(teamUuidList, null);
-                roleUuidSet.addAll(teamRoleUuidList);
-                Set<String> upwardUuidSet = new HashSet<>();
-                List<TeamVo> teamList =  teamMapper.getTeamByUuidList(teamUuidList);
-                for (TeamVo teamVo : teamList) {
-                    String upwardUuidPath = teamVo.getUpwardUuidPath();
-                    if (StringUtils.isNotBlank(upwardUuidPath)) {
-                        String[] upwardUuidArray = upwardUuidPath.split(",");
-                        for (String upwardUuid : upwardUuidArray) {
-                            if (!upwardUuid.equals(teamVo.getUuid())) {
-                                upwardUuidSet.add(upwardUuid);
-                            }
-                        }
-                    }
-                }
-                if (CollectionUtils.isNotEmpty(upwardUuidSet)) {
-                    teamRoleUuidList = roleMapper.getRoleUuidListByTeamUuidListAndCheckedChildren(new ArrayList<>(upwardUuidSet), 1);
-                    roleUuidSet.addAll(teamRoleUuidList);
-                }
-            }
+            getTeamUuidListAndRoleUuidList(teamUuidList, roleUuidSet,null);
+        }
+        return new AuthenticationInfoVo(userUuidList, new ArrayList<>(teamUuidSet), new ArrayList<>(roleUuidSet));
+    }
+
+    @Override
+    public AuthenticationInfoVo getAuthenticationInfo(List<String> userUuidList, String env) {
+        Set<String> teamUuidSet = new HashSet<>();
+        Set<String> roleUuidSet = new HashSet<>();
+        for (String userUuid : userUuidList) {
+            List<String> teamUuidList = teamMapper.getTeamUuidListByUserUuid(userUuid);
+            teamUuidSet.addAll(teamUuidList);
+            List<String> userRoleUuidList = roleMapper.getRoleUuidListByUserUuidAndEnv(userUuid, env);
+            roleUuidSet.addAll(userRoleUuidList);
+            getTeamUuidListAndRoleUuidList(teamUuidList, roleUuidSet, env);
         }
         return new AuthenticationInfoVo(userUuidList, new ArrayList<>(teamUuidSet), new ArrayList<>(roleUuidSet));
     }
diff --git a/src/main/java/neatlogic/module/framework/filter/handler/DefaultLoginAuthHandler.java b/src/main/java/neatlogic/module/framework/filter/handler/DefaultLoginAuthHandler.java
index 95a3b79a63509255a810759a2759037407d734e7..3eb28f4dc0b70609ca23eb26c88cfc23882b704c 100644
--- a/src/main/java/neatlogic/module/framework/filter/handler/DefaultLoginAuthHandler.java
+++ b/src/main/java/neatlogic/module/framework/filter/handler/DefaultLoginAuthHandler.java
@@ -17,6 +17,7 @@ limitations under the License.
 package neatlogic.module.framework.filter.handler;
 
 import neatlogic.framework.common.config.Config;
+import neatlogic.framework.dto.JwtVo;
 import neatlogic.framework.dto.UserVo;
 import neatlogic.framework.filter.core.LoginAuthHandlerBase;
 import com.alibaba.fastjson.JSONArray;
@@ -96,6 +97,7 @@ public class DefaultLoginAuthHandler extends LoginAuthHandlerBase {
                 String jwt = authorization.substring(7);
                 String[] jwtParts = jwt.split("\\.");
                 if (jwtParts.length == 3) {
+                    userVo.setJwtVo(new JwtVo(jwtParts));
                     SecretKeySpec signingKey = new SecretKeySpec(Config.JWT_SECRET().getBytes(), "HmacSHA1");
                     Mac mac;
                     try {
@@ -110,6 +112,7 @@ public class DefaultLoginAuthHandler extends LoginAuthHandlerBase {
                             userVo.setUserId(jwtBodyObj.getString("userid"));
                             userVo.setUserName(jwtBodyObj.getString("username"));
                             userVo.setIsSuperAdmin(jwtBodyObj.getBoolean("isSuperAdmin"));
+                            userVo.getJwtVo().setTokenCreateTime(jwtBodyObj.getLong("createTime"));
                             if(jwtBodyObj.getJSONArray("rolelist") != null) {
                                 userVo.setRoleUuidList(JSONArray.parseArray(jwtBodyObj.getJSONArray("rolelist").toJSONString(),String.class));
                             }
diff --git a/src/main/java/neatlogic/module/framework/filter/handler/HmacLoginAuthHandler.java b/src/main/java/neatlogic/module/framework/filter/handler/HmacLoginAuthHandler.java
index d3d5a4ccdd78ba385314744c773266894ffd5a79..45cf04ab1ed7f74815c262853a237da1e66ce867 100644
--- a/src/main/java/neatlogic/module/framework/filter/handler/HmacLoginAuthHandler.java
+++ b/src/main/java/neatlogic/module/framework/filter/handler/HmacLoginAuthHandler.java
@@ -113,4 +113,11 @@ public class HmacLoginAuthHandler extends LoginAuthHandlerBase {
         return null;
     }
 
+
+    @Override
+    public boolean isValidTokenCreateTime(){
+        //hmac认证用于其他系统直接调用后台认证，无需更新tokenCreateTime，否则可能会导致同个用户浏览器登录失效。
+        return false;
+    }
+
 }
diff --git a/src/main/java/neatlogic/module/framework/login/handler/LoginController.java b/src/main/java/neatlogic/module/framework/login/handler/LoginController.java
index da7367f006403f7d776b363dec2c7fac00d21449..adb22c7a468165985226515777506b6b2882844f 100644
--- a/src/main/java/neatlogic/module/framework/login/handler/LoginController.java
+++ b/src/main/java/neatlogic/module/framework/login/handler/LoginController.java
@@ -17,6 +17,7 @@ limitations under the License.
 package neatlogic.module.framework.login.handler;
 
 import com.alibaba.fastjson.JSONObject;
+import neatlogic.framework.asynchronization.threadlocal.RequestContext;
 import neatlogic.framework.asynchronization.threadlocal.TenantContext;
 import neatlogic.framework.asynchronization.threadlocal.UserContext;
 import neatlogic.framework.auth.init.MaintenanceMode;
@@ -139,9 +140,9 @@ public class LoginController {
             if (Config.ENABLE_MAINTENANCE() && Config.MAINTENANCE().equals(userVo.getUserId())) {
                 String maintenancePassword = Config.MAINTENANCE_PASSWORD();
                 maintenancePassword = RC4Util.decrypt(maintenancePassword);
-                if(Objects.equals(Config.LOGIN_AUTH_PASSWORD_ENCRYPT(),"md5")) {
+                if (Objects.equals(Config.LOGIN_AUTH_PASSWORD_ENCRYPT(), "md5")) {
                     maintenancePassword = "{MD5}" + Md5Util.encryptMD5(maintenancePassword);
-                }else if(Objects.equals(Config.LOGIN_AUTH_PASSWORD_ENCRYPT(),"base64")){
+                } else if (Objects.equals(Config.LOGIN_AUTH_PASSWORD_ENCRYPT(), "base64")) {
                     maintenancePassword = "{BS}" + new String(Base64.getEncoder().encode(maintenancePassword.getBytes()));
                 }
                 if (password.equals(maintenancePassword)) {
@@ -165,7 +166,7 @@ public class LoginController {
                 }
                 if (checkUserVo != null) {
                     String timezone = "+8:00";
-                    authenticationInfoVo = authenticationInfoService.getAuthenticationInfo(checkUserVo.getUuid());
+                    authenticationInfoVo = authenticationInfoService.getAuthenticationInfo(checkUserVo.getUuid(), request.getHeader("Env"));
                     UserContext.init(checkUserVo, authenticationInfoVo, timezone, request, response);
                     for (ILoginPostProcessor loginPostProcessor : LoginPostProcessorFactory.getLoginPostProcessorSet()) {
                         loginPostProcessor.loginAfterInitialization();
@@ -174,20 +175,22 @@ public class LoginController {
             }
 
             if (checkUserVo != null) {
+                //初始化request上下文
+                RequestContext.init(request, request.getRequestURI(), response);
                 checkUserVo.setTenant(tenant);
+                JwtVo jwtVo = LoginAuthHandlerBase.buildJwt(checkUserVo);
                 String AuthenticationInfoStr = null;
                 if (authenticationInfoVo != null) {
                     AuthenticationInfoStr = JSONObject.toJSONString(authenticationInfoVo);
                 }
                 // 保存 user 登录访问时间
-                userSessionMapper.insertUserSession(checkUserVo.getUuid(), AuthenticationInfoStr);
+                userSessionMapper.insertUserSession(checkUserVo.getUuid(), jwtVo.getTokenHash(), jwtVo.getTokenCreateTime(), AuthenticationInfoStr);
                 //更新租户visitTime
                 TenantContext.get().setUseDefaultDatasource(true);
                 if (!tenantVisitSet.contains(tenant)) {
                     tenantMapper.updateTenantVisitTime(tenant);
                     tenantVisitSet.add(tenant);
                 }
-                JwtVo jwtVo = LoginAuthHandlerBase.buildJwt(checkUserVo);
                 LoginAuthHandlerBase.setResponseAuthCookie(response, request, tenant, jwtVo);
                 returnObj.put("Status", "OK");
                 returnObj.put("JwtToken", jwtVo.getJwthead() + "." + jwtVo.getJwtbody() + "." + jwtVo.getJwtsign());
diff --git a/src/main/java/neatlogic/module/framework/restful/api/ModuleListApi.java b/src/main/java/neatlogic/module/framework/restful/api/ModuleListApi.java
index 1b681e2da0f1f8e1cb9c6ed66ee4032b4a081c58..b986cd809a0f5b456889da613848f62294f738b9 100644
--- a/src/main/java/neatlogic/module/framework/restful/api/ModuleListApi.java
+++ b/src/main/java/neatlogic/module/framework/restful/api/ModuleListApi.java
@@ -22,6 +22,7 @@ import neatlogic.framework.asynchronization.threadlocal.TenantContext;
 import neatlogic.framework.asynchronization.threadlocal.UserContext;
 import neatlogic.framework.common.constvalue.ApiParamType;
 import neatlogic.framework.dao.mapper.UserMapper;
+import neatlogic.framework.dto.AuthenticationInfoVo;
 import neatlogic.framework.dto.UserAuthVo;
 import neatlogic.framework.dto.module.ModuleVo;
 import neatlogic.framework.restful.annotation.*;
@@ -39,52 +40,54 @@ import java.util.Set;
 @Service
 @OperationType(type = OperationTypeEnum.SEARCH)
 public class ModuleListApi extends PrivateApiComponentBase {
-	@Autowired
-	UserMapper userMapper;
+    @Autowired
+    UserMapper userMapper;
 
-	@Override
-	public String getToken() {
-		return "/module/list";
-	}
+    @Override
+    public String getToken() {
+        return "/module/list";
+    }
 
-	@Override
-	public String getName() {
-		return "获取租户激活模块接口";
-	}
+    @Override
+    public String getName() {
+        return "获取租户激活模块接口";
+    }
 
-	@Override
-	public String getConfig() {
-		return null;
-	}
+    @Override
+    public String getConfig() {
+        return null;
+    }
 
-	@Input({})
-	@Output({
-		@Param( name = "value", type = ApiParamType.STRING, desc = "模块"),
-		@Param( name = "text", type = ApiParamType.STRING, desc = "模块名") 
-		})
-	@Description(desc = "获取租户激活模块接口")
-	@Override
-	public Object myDoService(JSONObject jsonObj) throws Exception {
-		JSONArray resultArray = new JSONArray();
-		 Set<String> authGroupSet = new HashSet<String>();
+    @Input({})
+    @Output({
+            @Param(name = "value", type = ApiParamType.STRING, desc = "模块"),
+            @Param(name = "text", type = ApiParamType.STRING, desc = "模块名")
+    })
+    @Description(desc = "获取租户激活模块接口")
+    @Override
+    public Object myDoService(JSONObject jsonObj) throws Exception {
+        JSONArray resultArray = new JSONArray();
+        Set<String> authGroupSet = new HashSet<String>();
         //获取用户权限
-        List<UserAuthVo>  userAuthList = userMapper.searchUserAllAuthByUserAuth(new UserAuthVo(UserContext.get().getUserUuid()));
-        for(UserAuthVo userAuth:userAuthList) {
-        	authGroupSet.add(userAuth.getAuthGroup());
+        AuthenticationInfoVo authenticationInfoVo = UserContext.get().getAuthenticationInfoVo();
+        String env = UserContext.get().getEnv();
+        List<UserAuthVo> userAuthList = userMapper.searchUserAllAuthByUserAuth(authenticationInfoVo, env);
+        for (UserAuthVo userAuth : userAuthList) {
+            authGroupSet.add(userAuth.getAuthGroup());
         }
-		Set<String> checkSet = new HashSet<>();
-		for (ModuleVo moduleVo : TenantContext.get().getActiveModuleList()) {
-			if (authGroupSet.contains(moduleVo.getGroup())&&!checkSet.contains(moduleVo.getGroup())) {
-				checkSet.add(moduleVo.getGroup());
-				JSONObject returnObj = new JSONObject();
-				returnObj.put("value", moduleVo.getGroup());
-				returnObj.put("text", $.t(moduleVo.getGroupName()));
-				returnObj.put("sort", moduleVo.getGroupSort());
-				resultArray.add(returnObj);
-			}
-		}
-		resultArray.sort(Comparator.comparing(obj-> ((JSONObject) obj).getInteger("sort")));
-		
-		return resultArray;
-	}
+        Set<String> checkSet = new HashSet<>();
+        for (ModuleVo moduleVo : TenantContext.get().getActiveModuleList()) {
+            if (authGroupSet.contains(moduleVo.getGroup()) && !checkSet.contains(moduleVo.getGroup())) {
+                checkSet.add(moduleVo.getGroup());
+                JSONObject returnObj = new JSONObject();
+                returnObj.put("value", moduleVo.getGroup());
+                returnObj.put("text", $.t(moduleVo.getGroupName()));
+                returnObj.put("sort", moduleVo.getGroupSort());
+                resultArray.add(returnObj);
+            }
+        }
+        resultArray.sort(Comparator.comparing(obj -> ((JSONObject) obj).getInteger("sort")));
+
+        return resultArray;
+    }
 }
diff --git a/src/main/resources/neatlogic/resources/framework/changelog/2023-12-19/neatlogic_tenant.sql b/src/main/resources/neatlogic/resources/framework/changelog/2023-12-19/neatlogic_tenant.sql
new file mode 100644
index 0000000000000000000000000000000000000000..d37c5776f52c3d5206f178819d93e91894141f14
--- /dev/null
+++ b/src/main/resources/neatlogic/resources/framework/changelog/2023-12-19/neatlogic_tenant.sql
@@ -0,0 +1,9 @@
+truncate `user_session`;
+
+ALTER TABLE `user_session` ADD COLUMN `token_hash` char(32) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL COMMENT 'token哈希值' AFTER `user_uuid`;
+
+ALTER TABLE `user_session` ADD COLUMN `token_create_time` bigint NULL DEFAULT NULL COMMENT 'token创建的时间' AFTER `token_hash`;
+
+ALTER TABLE `user_session` DROP PRIMARY KEY;
+
+ALTER TABLE `user_session` ADD PRIMARY KEY (`token_hash`) USING HASH;
\ No newline at end of file
diff --git a/src/main/resources/neatlogic/resources/framework/changelog/2023-12-19/version.json b/src/main/resources/neatlogic/resources/framework/changelog/2023-12-19/version.json
new file mode 100644
index 0000000000000000000000000000000000000000..106d5f32f125a0f787ef720ea5fe77cf09ddb0e1
--- /dev/null
+++ b/src/main/resources/neatlogic/resources/framework/changelog/2023-12-19/version.json
@@ -0,0 +1,12 @@
+{
+  "content":[
+    {
+      "type":"新增功能",
+      "detail":[
+        {"msg":"1.根据访问入口header env,动态生效角色"},
+        {"msg":"2.资源中心--资产清单查看权限依据团体和模型查看权限"},
+        {"msg":"3.优化登录及认证逻辑"}
+      ]
+    }
+  ]
+}