diff --git a/src/main/java/route/CtrlUser.kt b/src/main/java/route/CtrlUser.kt
index 2c5e5d6..aac84f4 100644
--- a/src/main/java/route/CtrlUser.kt
+++ b/src/main/java/route/CtrlUser.kt
@@ -157,11 +157,15 @@ class CtrlUser : Controller() {
         if (user == null) {
             return JSONResponse(Const.codeResourceNotFound, Const.msgNotFound, null)
         } else {
-            val session = request.getSession(true)
-            val token = md5(name + ":" + passwd)
-            session.put("name", name)
-            session.put("token", token)
-            return responseSuccess(token)
+            if (user.passwd == passwd) {
+                val session = request.getSession(true)
+                val token = md5(name + ":" + passwd)
+                session.put("name", name)
+                session.put("token", token)
+                return responseSuccess(token)
+            } else {
+                return JSONResponse(403, "密码错误", null)
+            }
         }
     }