diff --git a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
index 88ce4e178..071e1a0cd 100644
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
@@ -135,7 +135,17 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {
         }
         try {
             loginUserStr = URLDecoder.decode(loginUserStr, StandardCharsets.UTF_8); // 解码，解决中文乱码问题
-            return JsonUtils.parseObject(loginUserStr, LoginUser.class);
+            LoginUser loginUser = JsonUtils.parseObject(loginUserStr, LoginUser.class);
+            // 用户类型不匹配，无权限
+            // 注意：只有 /admin-api/* 和 /app-api/* 有 userType，才需要比对用户类型
+            // 类似 WebSocket 的 /ws/* 连接地址，是不需要比对用户类型的
+            Integer userType = WebFrameworkUtils.getLoginUserType(request);
+            if (userType != null
+                    && loginUser != null
+                    && ObjectUtil.notEqual(loginUser.getUserType(), userType)) {
+                throw new AccessDeniedException("错误的用户类型");
+            }
+            return loginUser;
         } catch (Exception ex) {
             log.error("[buildLoginUserByHeader][解析 LoginUser({}) 发生异常]", loginUserStr, ex);  ;
             throw ex;