diff --git a/authorization-server/src/main/java/io/bluemoon/authorizationserver/AuthorizationServerApplication.java b/authorization-server/src/main/java/io/bluemoon/authorizationserver/AuthorizationServerApplication.java
index 1243975..ddfa3f3 100644
--- a/authorization-server/src/main/java/io/bluemoon/authorizationserver/AuthorizationServerApplication.java
+++ b/authorization-server/src/main/java/io/bluemoon/authorizationserver/AuthorizationServerApplication.java
@@ -2,8 +2,10 @@ package io.bluemoon.authorizationserver;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
 
 @SpringBootApplication
+@EnableResourceServer
 public class AuthorizationServerApplication {
 
     public static void main(String[] args) {
diff --git a/authorization-server/src/main/java/io/bluemoon/authorizationserver/config/WebSecurityConfig.java b/authorization-server/src/main/java/io/bluemoon/authorizationserver/config/WebSecurityConfig.java
index de120d7..95ef293 100644
--- a/authorization-server/src/main/java/io/bluemoon/authorizationserver/config/WebSecurityConfig.java
+++ b/authorization-server/src/main/java/io/bluemoon/authorizationserver/config/WebSecurityConfig.java
@@ -14,7 +14,8 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 
 @Configuration
-@Order(SecurityProperties.BASIC_AUTH_ORDER - 6)
+//@Order(SecurityProperties.BASIC_AUTH_ORDER - 6)
+@Order(-1)
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     private CustomUserDetailsServiceImpl customUserDetailsService;
@@ -42,6 +43,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http.formLogin().loginPage("/login").permitAll()
+                .and()
+                .requestMatchers().antMatchers("/login", "/logout", "/oauth/authorize", "/oauth/confirm_access")
                 .and()
                 .authorizeRequests().anyRequest().authenticated();
 
diff --git a/authorization-server/src/main/java/io/bluemoon/authorizationserver/controller/sso/SsoController.java b/authorization-server/src/main/java/io/bluemoon/authorizationserver/controller/sso/SsoController.java
index ba8a855..c19c32e 100644
--- a/authorization-server/src/main/java/io/bluemoon/authorizationserver/controller/sso/SsoController.java
+++ b/authorization-server/src/main/java/io/bluemoon/authorizationserver/controller/sso/SsoController.java
@@ -11,6 +11,7 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
 
 @Controller
 public class SsoController {
@@ -68,4 +69,10 @@ public class SsoController {
         return "aa";
     }
 
+    @RequestMapping(value = "/user")
+    @ResponseBody
+    public Principal user(Principal user) {
+        return user;
+    }
+
 }
diff --git a/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/GatewayZuulApplication.java b/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/GatewayZuulApplication.java
index de2b181..d7b3bd8 100644
--- a/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/GatewayZuulApplication.java
+++ b/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/GatewayZuulApplication.java
@@ -7,12 +7,17 @@ import org.springframework.cloud.client.loadbalancer.LoadBalancerInterceptor;
 import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
 import org.springframework.context.annotation.Bean;
 import org.springframework.http.client.ClientHttpRequestInterceptor;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.oauth2.client.token.AccessTokenProviderChain;
 import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsAccessTokenProvider;
 import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider;
 import org.springframework.security.oauth2.client.token.grant.implicit.ImplicitAccessTokenProvider;
 import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordAccessTokenProvider;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
@@ -26,6 +31,17 @@ public class GatewayZuulApplication {
         SpringApplication.run(GatewayZuulApplication.class, args);
     }
 
+    @Controller
+    @RequestMapping("/")
+    public static class TestController {
+        @RequestMapping(method = RequestMethod.GET)
+        public String test(Principal principal) {
+            System.out.println(principal.getName());
+            System.out.println(principal.toString());
+            return "aa";
+        }
+    }
+
 //    @Bean
 //    UserInfoRestTemplateCustomizer userInfoRestTemplateCustomizer(LoadBalancerInterceptor loadBalancerInterceptor) {
 //        return template -> {
diff --git a/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/config/SecurityConfig.java b/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/config/SecurityConfig.java
index d270dfb..9c5c6d5 100644
--- a/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/config/SecurityConfig.java
+++ b/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/config/SecurityConfig.java
@@ -18,10 +18,7 @@ import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter;
 import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
-import org.springframework.security.web.csrf.CsrfFilter;
-import org.springframework.security.web.csrf.CsrfToken;
-import org.springframework.security.web.csrf.CsrfTokenRepository;
-import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.security.web.csrf.*;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
@@ -38,7 +35,7 @@ import java.util.regex.Pattern;
 @Configuration
 @EnableOAuth2Sso
 @EnableResourceServer
-@Order(value = 0)
+@Order(value = -1)
 public class SecurityConfig  extends WebSecurityConfigurerAdapter {
 
 //    @Bean
@@ -52,9 +49,9 @@ public class SecurityConfig  extends WebSecurityConfigurerAdapter {
         http.authorizeRequests()
                 .antMatchers("/mk-auth/**", "/login").permitAll().anyRequest().authenticated()
                 .and()
-                .csrf().requireCsrfProtectionMatcher(csrfRequestMatcher()).csrfTokenRepository(csrfTokenRepository())
-                .and()
-                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
+//                .csrf().requireCsrfProtectionMatcher(csrfRequestMatcher()).csrfTokenRepository(csrfTokenRepository())
+//                .and()
+//                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
                 .logout().permitAll()
                 .logoutSuccessUrl("/");
     }
diff --git a/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/filter/HeaderEnhanceFilter.java b/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/filter/HeaderEnhanceFilter.java
new file mode 100644
index 0000000..5827999
--- /dev/null
+++ b/gateway-zuul/src/main/java/io/bluemoon/gatewayzuul/filter/HeaderEnhanceFilter.java
@@ -0,0 +1,18 @@
+package io.bluemoon.gatewayzuul.filter;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+public class HeaderEnhanceFilter implements Filter {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        String authorization = ((HttpServletRequest) request).getHeader("Authorization");
+        String requestURI = ((HttpServletRequest) request).getRequestURI();
+        // test if request url is permit all, then remove authorization from header
+
+
+
+    }
+}
diff --git a/gateway-zuul/src/main/resources/application.properties b/gateway-zuul/src/main/resources/application.properties
index 343ef15..d0634da 100644
--- a/gateway-zuul/src/main/resources/application.properties
+++ b/gateway-zuul/src/main/resources/application.properties
@@ -1,13 +1,14 @@
 server.port=8765
 
+zuul.sensitive-headers=Cookie,Set-Cookie
 
-zuul.routes.mk2-service=/service/**
+zuul.routes.mk2-service.path=/service/**
 zuul.routes.mk2-service.url=http://127.0.0.1:8082
-
+zuul.routes.mk2-service.sensitive-headers=Cookie,Set-Cookie
 
 zuul.routes.mk2-oauth.path=/mk-auth/**
 zuul.routes.mk2-oauth.url=http://127.0.0.1:8081
-zuul.routes.mk2-oauth.sensitive-headers=Authorization
+zuul.routes.mk2-oauth.sensitive-headers=Cookie,Set-Cookie
 #zuul.routes.mk2-oauth.path=/mk2auth/**
 
 zuul.routes.mk2-oauth.strip-prefix=false
@@ -19,19 +20,20 @@ security.oauth2.sso.login-path=/login
 
 security.oauth2.client.access-token-uri=http://127.0.0.1:8081/mk-auth/oauth/token
 security.oauth2.client.user-authorization-uri=http://127.0.0.1:8081/mk-auth/oauth/authorize
-security.oauth2.resource.token-info-uri=http://127.0.0.1:8081/mk-auth/oauth/check_token
+
+security.oauth2.resource.user-info-uri=http://127.0.0.1:8081/mk-auth/user
+#security.oauth2.resource.prefer-token-info=false
+
 security.oauth2.client.client-id=system1
 security.oauth2.client.client-secret=1234
 
 
-
+#management.security.enabled=false
 #security.oauth2.resource.jwt.key-value="abc"
 #security.oauth2.resource.id=read
 #security.oauth2.resource.service-id=${PREFIX:}resource
 
 
-management.endpoints.web.exposure.include=routes, health, filter
-management.endpoint.routes.enabled=true
-management.endpoint.filters.enabled=true
-
-
+#management.endpoints.web.exposure.include=routes, health, filter
+#management.endpoint.routes.enabled=true
+#management.endpoint.filters.enabled=true
diff --git a/test-service/src/main/java/io/bluemoon/testservice/ResourceServiceConfig.java b/test-service/src/main/java/io/bluemoon/testservice/ResourceServiceConfig.java
new file mode 100644
index 0000000..ce5b898
--- /dev/null
+++ b/test-service/src/main/java/io/bluemoon/testservice/ResourceServiceConfig.java
@@ -0,0 +1,18 @@
+//package io.bluemoon.testservice;
+//
+//import org.springframework.context.annotation.Configuration;
+//import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+//import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
+//import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
+//import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
+//
+//@EnableResourceServer
+//@Configuration
+//public class ResourceServiceConfig extends ResourceServerConfigurerAdapter {
+//
+//    @Override
+//    public void configure(HttpSecurity http) throws Exception {
+//        http.requestMatcher(new RequestHeaderRequestMatcher("Authorization"))
+//                .authorizeRequests().anyRequest().fullyAuthenticated();
+//    }
+//}
diff --git a/test-service/src/main/java/io/bluemoon/testservice/TestServiceApplication.java b/test-service/src/main/java/io/bluemoon/testservice/TestServiceApplication.java
index d11f97f..4377a98 100644
--- a/test-service/src/main/java/io/bluemoon/testservice/TestServiceApplication.java
+++ b/test-service/src/main/java/io/bluemoon/testservice/TestServiceApplication.java
@@ -2,17 +2,19 @@ package io.bluemoon.testservice;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.SessionAttributes;
 
 import java.security.Principal;
 
-@EnableResourceServer
 @SpringBootApplication
+@EnableResourceServer
 public class TestServiceApplication {
 
     public static void main(String[] args) {
diff --git a/test-service/src/main/resources/application.properties b/test-service/src/main/resources/application.properties
index c3e43cd..26a7cb3 100644
--- a/test-service/src/main/resources/application.properties
+++ b/test-service/src/main/resources/application.properties
@@ -3,4 +3,10 @@ server.port=8082
 
 #security.oauth2.resource.jwt.key-value="abc"
 #security.oauth2.resource.id=read
-#security.oauth2.resource.service-id=${PREFIX:}resource
\ No newline at end of file
+#security.oauth2.resource.service-id=${PREFIX:}resource
+
+security.oauth2.client.client-id=system1
+security.oauth2.client.client-secret=1234
+#security.oauth2.resource.token-info-uri=http://127.0.0.1:8081/mk-auth/oauth/check_token
+security.oauth2.resource.user-info-uri=http://127.0.0.1:8081/mk-auth/user
+security.oauth2.resource.prefer-token-info=false
\ No newline at end of file