diff --git a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java
index 393c8af5e..080d3e23a 100644
--- a/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java
+++ b/hsweb-authorization/hsweb-authorization-basic/src/main/java/org/hswebframework/web/authorization/basic/handler/DefaultAuthorizingHandler.java
@@ -201,7 +201,10 @@ public class DefaultAuthorizingHandler implements AuthorizingHandler {
             Function<Predicate<Role>, Boolean> func = logicalIsOr
                     ? authentication.getRoles().stream()::anyMatch
                     : authentication.getRoles().stream()::allMatch;
-            access = func.apply(role -> rolesDef.contains(role.getId()));
+
+            access = logicalIsOr
+                    ? access || func.apply(role -> rolesDef.contains(role.getId()))
+                    : access && func.apply(role -> rolesDef.contains(role.getId()));
         }
         //控制用户
         if (!usersDef.isEmpty()) {
@@ -211,7 +214,10 @@ public class DefaultAuthorizingHandler implements AuthorizingHandler {
             Function<Predicate<String>, Boolean> func = logicalIsOr
                     ? usersDef.stream()::anyMatch
                     : usersDef.stream()::allMatch;
-            access = func.apply(authentication.getUser().getUsername()::equals);
+            access = logicalIsOr
+                    ? access || func.apply(authentication.getUser().getUsername()::equals)
+                    : access && func.apply(authentication.getUser().getUsername()::equals);
+
         }
         if (!access) {
             throw new AccessDenyException(definition.getMessage());