diff --git a/java-backend/src/main/java/com/lesingle/creation/controller/PermissionController.java b/java-backend/src/main/java/com/lesingle/creation/controller/PermissionController.java
index 45f2c29..3ad2995 100644
--- a/java-backend/src/main/java/com/lesingle/creation/controller/PermissionController.java
+++ b/java-backend/src/main/java/com/lesingle/creation/controller/PermissionController.java
@@ -30,7 +30,7 @@ public class PermissionController {
 
     @PostMapping
     @Operation(summary = "创建权限")
-    @PreAuthorize("hasAuthority('super_admin')")
+    @PreAuthorize("hasRole('super_admin')")
     public Result<PermissionDetailVO> create(
             @AuthenticationPrincipal UserPrincipal userPrincipal,
             @RequestBody @Validated CreatePermissionDTO dto) {
@@ -73,7 +73,7 @@ public class PermissionController {
 
     @PutMapping("/{id}")
     @Operation(summary = "更新权限")
-    @PreAuthorize("hasAuthority('super_admin')")
+    @PreAuthorize("hasRole('super_admin')")
     public Result<PermissionDetailVO> update(
             @AuthenticationPrincipal UserPrincipal userPrincipal,
             @PathVariable Long id,
@@ -85,7 +85,7 @@ public class PermissionController {
 
     @DeleteMapping("/{id}")
     @Operation(summary = "删除权限")
-    @PreAuthorize("hasAuthority('super_admin')")
+    @PreAuthorize("hasRole('super_admin')")
     public Result<Void> delete(
             @PathVariable Long id) {
         permissionService.delete(id);
diff --git a/java-backend/src/main/java/com/lesingle/creation/controller/UserController.java b/java-backend/src/main/java/com/lesingle/creation/controller/UserController.java
index 1850301..685dc1a 100644
--- a/java-backend/src/main/java/com/lesingle/creation/controller/UserController.java
+++ b/java-backend/src/main/java/com/lesingle/creation/controller/UserController.java
@@ -42,7 +42,7 @@ public class UserController {
 
     @GetMapping("/stats")
     @Operation(summary = "用户统计（仅超管）")
-    @PreAuthorize("hasAuthority('super_admin')")
+    @PreAuthorize("hasRole('super_admin')")
     public Result<UserStatsVO> getStats() {
         UserStatsVO result = userService.getStats();
         return Result.success(result);
diff --git a/java-backend/src/main/java/com/lesingle/creation/service/impl/UserDetailsServiceImpl.java b/java-backend/src/main/java/com/lesingle/creation/service/impl/UserDetailsServiceImpl.java
index 3460de2..f106269 100644
--- a/java-backend/src/main/java/com/lesingle/creation/service/impl/UserDetailsServiceImpl.java
+++ b/java-backend/src/main/java/com/lesingle/creation/service/impl/UserDetailsServiceImpl.java
@@ -3,6 +3,7 @@ package com.lesingle.creation.service.impl;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.lesingle.creation.common.security.UserPrincipal;
 import com.lesingle.creation.entity.Permission;
+import com.lesingle.creation.entity.Role;
 import com.lesingle.creation.entity.Tenant;
 import com.lesingle.creation.entity.User;
 import com.lesingle.creation.entity.UserRole;
@@ -10,6 +11,7 @@ import com.lesingle.creation.entity.RolePermission;
 import com.lesingle.creation.mapper.TenantMapper;
 import com.lesingle.creation.mapper.UserMapper;
 import com.lesingle.creation.mapper.UserRoleMapper;
+import com.lesingle.creation.mapper.RoleMapper;
 import com.lesingle.creation.mapper.RolePermissionMapper;
 import com.lesingle.creation.mapper.PermissionMapper;
 import lombok.RequiredArgsConstructor;
@@ -20,10 +22,11 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
+import org.springframework.util.StringUtils;
+
 import java.util.ArrayList;
+import java.util.LinkedHashSet;
 import java.util.List;
-import java.util.Map;
-import java.util.Set;
 import java.util.stream.Collectors;
 
 /**
@@ -38,6 +41,7 @@ public class UserDetailsServiceImpl implements UserDetailsService {
     private final UserMapper userMapper;
     private final TenantMapper tenantMapper;
     private final UserRoleMapper userRoleMapper;
+    private final RoleMapper roleMapper;
     private final RolePermissionMapper rolePermissionMapper;
     private final PermissionMapper permissionMapper;
 
@@ -89,10 +93,21 @@ public class UserDetailsServiceImpl implements UserDetailsService {
         List<UserRole> userRoles = userRoleMapper.selectList(new LambdaQueryWrapper<UserRole>()
                 .eq(UserRole::getUserId, user.getId()));
 
-        // 查询角色权限
+        // 角色编码 -> ROLE_xxx（供 hasRole('super_admin') 等使用）
+        LinkedHashSet<String> authorityStrings = new LinkedHashSet<>();
         List<String> permissionCodes = new ArrayList<>();
         if (!userRoles.isEmpty()) {
-            List<Long> roleIds = userRoles.stream().map(UserRole::getRoleId).collect(Collectors.toList());
+            List<Long> roleIds = userRoles.stream().map(UserRole::getRoleId).distinct().collect(Collectors.toList());
+            List<Role> roles = roleMapper.selectList(
+                    new LambdaQueryWrapper<Role>()
+                            .in(Role::getId, roleIds)
+                            .eq(Role::getDeleted, 0));
+            for (Role role : roles) {
+                if (StringUtils.hasText(role.getCode())) {
+                    authorityStrings.add("ROLE_" + role.getCode());
+                }
+            }
+
             List<RolePermission> rolePermissions = rolePermissionMapper.selectList(
                 new LambdaQueryWrapper<RolePermission>()
                     .in(RolePermission::getRoleId, roleIds)
@@ -109,16 +124,17 @@ public class UserDetailsServiceImpl implements UserDetailsService {
                 );
                 permissionCodes = permissions.stream()
                     .map(Permission::getCode)
+                    .filter(StringUtils::hasText)
                     .collect(Collectors.toList());
             }
         }
+        authorityStrings.addAll(permissionCodes);
 
-        // 构建 authorities
-        List<SimpleGrantedAuthority> authorities = permissionCodes.stream()
-            .map(code -> new SimpleGrantedAuthority(code))
+        List<SimpleGrantedAuthority> authorities = authorityStrings.stream()
+            .map(SimpleGrantedAuthority::new)
             .collect(Collectors.toList());
 
-        log.debug("用户 {} 的权限列表：{}", user.getUsername(), permissionCodes);
+        log.debug("用户 {} 的角色与权限：{}", user.getUsername(), authorityStrings);
 
         // 构建 UserPrincipal 对象（包含用户 ID、租户 ID、租户编码等信息）
         UserPrincipal userPrincipal = new UserPrincipal(
diff --git a/java-backend/src/main/java/com/lesingle/creation/util/SecurityUtils.java b/java-backend/src/main/java/com/lesingle/creation/util/SecurityUtils.java
index 0057d4c..f8d9a11 100644
--- a/java-backend/src/main/java/com/lesingle/creation/util/SecurityUtils.java
+++ b/java-backend/src/main/java/com/lesingle/creation/util/SecurityUtils.java
@@ -128,9 +128,10 @@ public class SecurityUtils {
             return false;
         }
 
-        // 检查是否有 super_admin 角色
+        // 超管角色：ROLE_super_admin（与 UserDetailsServiceImpl 中角色编码一致）
         return authentication.getAuthorities().stream()
-            .anyMatch(grantedAuthority -> "ROLE_super_admin".equals(grantedAuthority.getAuthority()));
+            .anyMatch(a -> "ROLE_super_admin".equals(a.getAuthority())
+                    || "super_admin".equals(a.getAuthority()));
     }
 
     /**