diff --git a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedAuthenticationProperties.java b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedAuthenticationProperties.java
index e4a09e3c0..1b35e4b1a 100644
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedAuthenticationProperties.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedAuthenticationProperties.java
@@ -2,6 +2,7 @@ package org.hswebframework.web.authorization.basic.embed;
 
 import lombok.Getter;
 import lombok.Setter;
+import org.apache.commons.collections4.MapUtils;
 import org.hswebframework.web.authorization.Authentication;
 import org.hswebframework.web.authorization.AuthenticationRequest;
 import org.hswebframework.web.authorization.builder.DataAccessConfigBuilderFactory;
@@ -69,7 +70,10 @@ public class EmbedAuthenticationProperties implements InitializingBean {
                     for (Map.Entry<String, Object> stringObjectEntry : objectMap.entrySet()) {
                         if (stringObjectEntry.getValue() instanceof Map) {
                             Map<?, ?> mapVal = ((Map) stringObjectEntry.getValue());
-                            boolean maybeIsList = mapVal.keySet().stream().allMatch(org.hswebframework.utils.StringUtils::isInt);
+                            boolean maybeIsList = mapVal
+                                    .keySet()
+                                    .stream()
+                                    .allMatch(org.hswebframework.utils.StringUtils::isInt);
                             if (maybeIsList) {
                                 stringObjectEntry.setValue(mapVal.values());
                             }
@@ -82,20 +86,23 @@ public class EmbedAuthenticationProperties implements InitializingBean {
     }
 
     public Authentication authenticate(AuthenticationRequest request) {
-        if(request instanceof PlainTextUsernamePasswordAuthenticationRequest){
+        if (MapUtils.isEmpty(users)) {
+            return null;
+        }
+        if (request instanceof PlainTextUsernamePasswordAuthenticationRequest) {
             PlainTextUsernamePasswordAuthenticationRequest pwdReq = ((PlainTextUsernamePasswordAuthenticationRequest) request);
-            return users.values()
-                    .stream()
-                    .filter(user ->
-                            pwdReq.getUsername().equals(user.getUsername())
-                                    && pwdReq.getPassword().equals(user.getPassword()))
-                    .findFirst()
-                    .map(EmbedAuthenticationInfo::getId)
-                    .map(authentications::get)
-                    .orElseThrow(() -> new ValidationException("用户不存在"));
+            for (EmbedAuthenticationInfo user : users.values()) {
+                if (pwdReq.getUsername().equals(user.getUsername())) {
+                    if (pwdReq.getPassword().equals(user.getPassword())) {
+                        return user.toAuthentication(dataAccessConfigBuilderFactory);
+                    }
+                    return null;
+                }
+            }
+            return null;
         }
 
-        throw new UnsupportedOperationException("不支持的授权请求:"+request);
+        throw new UnsupportedOperationException("不支持的授权请求:" + request);
     }
 
     public Optional<Authentication> getAuthentication(String userId) {
diff --git a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedReactiveAuthenticationManager.java b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedReactiveAuthenticationManager.java
index 6aabf28d9..94fbd6739 100644
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedReactiveAuthenticationManager.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/embed/EmbedReactiveAuthenticationManager.java
@@ -1,6 +1,8 @@
 package org.hswebframework.web.authorization.basic.embed;
 
 import lombok.AllArgsConstructor;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.collections4.MapUtils;
 import org.hswebframework.web.authorization.Authentication;
 import org.hswebframework.web.authorization.AuthenticationRequest;
 import org.hswebframework.web.authorization.ReactiveAuthenticationManager;
@@ -22,7 +24,16 @@ public class EmbedReactiveAuthenticationManager implements ReactiveAuthenticatio
 
     @Override
     public Mono<Authentication> authenticate(Mono<AuthenticationRequest> request) {
-        return request.map(properties::authenticate);
+        if (MapUtils.isEmpty(properties.getUsers())) {
+            return Mono.empty();
+        }
+        return request.
+                handle((req, sink) -> {
+                    Authentication auth = properties.authenticate(req);
+                    if (auth != null) {
+                        sink.next(auth);
+                    }
+                });
 
     }