diff --git a/internal/rpc/rpc_client.go b/internal/rpc/rpc_client.go
index d4bf2157..4688fd84 100644
--- a/internal/rpc/rpc_client.go
+++ b/internal/rpc/rpc_client.go
@@ -228,6 +228,10 @@ func (this *RPCClient) HTTPFastcgiRPC() pb.HTTPFastcgiServiceClient {
 	return pb.NewHTTPFastcgiServiceClient(this.pickConn())
 }
 
+func (this *RPCClient) HTTPAuthPolicyRPC() pb.HTTPAuthPolicyServiceClient {
+	return pb.NewHTTPAuthPolicyServiceClient(this.pickConn())
+}
+
 func (this *RPCClient) SSLCertRPC() pb.SSLCertServiceClient {
 	return pb.NewSSLCertServiceClient(this.pickConn())
 }
diff --git a/internal/web/actions/default/servers/server/settings/access/createPopup.go b/internal/web/actions/default/servers/server/settings/access/createPopup.go
index 4642a31a..81758bb0 100644
--- a/internal/web/actions/default/servers/server/settings/access/createPopup.go
+++ b/internal/web/actions/default/servers/server/settings/access/createPopup.go
@@ -3,7 +3,10 @@
 package access
 
 import (
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
 	"github.com/iwind/TeaGo/actions"
 )
 
@@ -16,12 +19,105 @@ func (this *CreatePopupAction) Init() {
 }
 
 func (this *CreatePopupAction) RunGet(params struct{}) {
+	this.Data["authTypes"] = serverconfigs.FindAllHTTPAuthTypes()
 	this.Show()
 }
 
 func (this *CreatePopupAction) RunPost(params struct {
+	Name string
+	Type string
+
+	// BasicAuth
+	HttpAuthBasicAuthUsersJSON []byte
+	BasicAuthRealm             string
+	BasicAuthCharset           string
+
+	// SubRequest
+	SubRequestURL           string
+	SubRequestMethod        string
+	SubRequestFollowRequest bool
+
 	Must *actions.Must
 	CSRF *actionutils.CSRF
 }) {
+	params.Must.
+		Field("name", params.Name).
+		Require("请输入名称").
+		Field("type", params.Type).
+		Require("请输入认证类型")
 
+	var ref = &serverconfigs.HTTPAuthPolicyRef{IsOn: true}
+	var paramsJSON []byte
+
+	switch params.Type {
+	case serverconfigs.HTTPAuthTypeBasicAuth:
+		users := []*serverconfigs.HTTPAuthBasicMethodUser{}
+		err := json.Unmarshal(params.HttpAuthBasicAuthUsersJSON, &users)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		if len(users) == 0 {
+			this.Fail("请添加至少一个用户")
+		}
+		method := &serverconfigs.HTTPAuthBasicMethod{
+			Users:   users,
+			Realm:   params.BasicAuthRealm,
+			Charset: params.BasicAuthCharset,
+		}
+		methodJSON, err := json.Marshal(method)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+
+		paramsJSON = methodJSON
+	case serverconfigs.HTTPAuthTypeSubRequest:
+		params.Must.Field("subRequestURL", params.SubRequestURL).
+			Require("请输入子请求URL")
+		if params.SubRequestFollowRequest {
+			params.SubRequestMethod = ""
+		}
+		method := &serverconfigs.HTTPAuthSubRequestMethod{
+			URL:    params.SubRequestURL,
+			Method: params.SubRequestMethod,
+		}
+		methodJSON, err := json.Marshal(method)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		paramsJSON = methodJSON
+	default:
+		this.Fail("不支持的认证类型'" + params.Type + "'")
+	}
+
+	var paramsMap map[string]interface{}
+	err := json.Unmarshal(paramsJSON, &paramsMap)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	createResp, err := this.RPC().HTTPAuthPolicyRPC().CreateHTTPAuthPolicy(this.AdminContext(), &pb.CreateHTTPAuthPolicyRequest{
+		Name:       params.Name,
+		Type:       params.Type,
+		ParamsJSON: paramsJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	defer this.CreateLogInfo("创建HTTP认证 %d", createResp.HttpAuthPolicyId)
+	ref.AuthPolicyId = createResp.HttpAuthPolicyId
+	ref.AuthPolicy = &serverconfigs.HTTPAuthPolicy{
+		Id:     createResp.HttpAuthPolicyId,
+		Name:   params.Name,
+		IsOn:   true,
+		Type:   params.Type,
+		Params: paramsMap,
+	}
+
+	this.Data["policyRef"] = ref
+	this.Success()
 }
diff --git a/internal/web/actions/default/servers/server/settings/access/index.go b/internal/web/actions/default/servers/server/settings/access/index.go
index 568f4567..bca6dada 100644
--- a/internal/web/actions/default/servers/server/settings/access/index.go
+++ b/internal/web/actions/default/servers/server/settings/access/index.go
@@ -1,8 +1,12 @@
 package access
 
 import (
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"github.com/iwind/TeaGo/actions"
 )
 
 type IndexAction struct {
@@ -28,3 +32,45 @@ func (this *IndexAction) RunGet(params struct {
 
 	this.Show()
 }
+
+func (this *IndexAction) RunPost(params struct {
+	WebId    int64
+	AuthJSON []byte
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	defer this.CreateLogInfo("修改Web %d 的认证设置", params.WebId)
+
+	var authConfig = &serverconfigs.HTTPAuthConfig{}
+	err := json.Unmarshal(params.AuthJSON, authConfig)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	err = authConfig.Init()
+	if err != nil {
+		this.Fail("配置校验失败：" + err.Error())
+	}
+
+	// 保存之前删除多于的配置信息
+	for _, ref := range authConfig.PolicyRefs {
+		ref.AuthPolicy = nil
+	}
+
+	configJSON, err := json.Marshal(authConfig)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	_, err = this.RPC().HTTPWebRPC().UpdateHTTPWebAuth(this.AdminContext(), &pb.UpdateHTTPWebAuthRequest{
+		WebId:    params.WebId,
+		AuthJSON: configJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
diff --git a/internal/web/actions/default/servers/server/settings/access/init.go b/internal/web/actions/default/servers/server/settings/access/init.go
index 2f51fe60..588a6cd7 100644
--- a/internal/web/actions/default/servers/server/settings/access/init.go
+++ b/internal/web/actions/default/servers/server/settings/access/init.go
@@ -13,7 +13,7 @@ func init() {
 			Helper(helpers.NewUserMustAuth(configloaders.AdminModuleCodeServer)).
 			Helper(serverutils.NewServerHelper()).
 			Prefix("/servers/server/settings/access").
-			Get("", new(IndexAction)).
+			GetPost("", new(IndexAction)).
 			GetPost("/createPopup", new(CreatePopupAction)).
 			GetPost("/updatePopup", new(UpdatePopupAction)).
 			EndAll()
diff --git a/internal/web/actions/default/servers/server/settings/access/updatePopup.go b/internal/web/actions/default/servers/server/settings/access/updatePopup.go
index 5dfbf14a..0453c314 100644
--- a/internal/web/actions/default/servers/server/settings/access/updatePopup.go
+++ b/internal/web/actions/default/servers/server/settings/access/updatePopup.go
@@ -2,7 +2,14 @@
 
 package access
 
-import "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/maps"
+)
 
 type UpdatePopupAction struct {
 	actionutils.ParentAction
@@ -12,6 +19,149 @@ func (this *UpdatePopupAction) Init() {
 	this.Nav("", "", "")
 }
 
-func (this *UpdatePopupAction) RunGet(params struct{}) {
+func (this *UpdatePopupAction) RunGet(params struct {
+	PolicyId int64
+}) {
+	this.Data["authTypes"] = serverconfigs.FindAllHTTPAuthTypes()
+
+	policyResp, err := this.RPC().HTTPAuthPolicyRPC().FindEnabledHTTPAuthPolicy(this.AdminContext(), &pb.FindEnabledHTTPAuthPolicyRequest{HttpAuthPolicyId: params.PolicyId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	policy := policyResp.HttpAuthPolicy
+	if policy == nil {
+		this.NotFound("httpAuthPolicy", params.PolicyId)
+		return
+	}
+
+	var authParams = map[string]interface{}{}
+	if len(policy.ParamsJSON) > 0 {
+		err = json.Unmarshal(policy.ParamsJSON, &authParams)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+	}
+	this.Data["policy"] = maps.Map{
+		"id":     policy.Id,
+		"isOn":   policy.IsOn,
+		"name":   policy.Name,
+		"type":   policy.Type,
+		"params": authParams,
+	}
+
 	this.Show()
 }
+
+func (this *UpdatePopupAction) RunPost(params struct {
+	PolicyId int64
+
+	Name string
+	IsOn bool
+
+	// BasicAuth
+	HttpAuthBasicAuthUsersJSON []byte
+	BasicAuthRealm             string
+	BasicAuthCharset           string
+
+	// SubRequest
+	SubRequestURL           string
+	SubRequestMethod        string
+	SubRequestFollowRequest bool
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	defer this.CreateLogInfo("修改HTTP认证 %d", params.PolicyId)
+
+	policyResp, err := this.RPC().HTTPAuthPolicyRPC().FindEnabledHTTPAuthPolicy(this.AdminContext(), &pb.FindEnabledHTTPAuthPolicyRequest{HttpAuthPolicyId: params.PolicyId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	policy := policyResp.HttpAuthPolicy
+	if policy == nil {
+		this.NotFound("httpAuthPolicy", params.PolicyId)
+		return
+	}
+	policyType := policy.Type
+
+	params.Must.
+		Field("name", params.Name).
+		Require("请输入名称")
+
+	var ref = &serverconfigs.HTTPAuthPolicyRef{IsOn: true}
+	var paramsJSON []byte
+
+	switch policyType {
+	case serverconfigs.HTTPAuthTypeBasicAuth:
+		users := []*serverconfigs.HTTPAuthBasicMethodUser{}
+		err := json.Unmarshal(params.HttpAuthBasicAuthUsersJSON, &users)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		if len(users) == 0 {
+			this.Fail("请添加至少一个用户")
+		}
+		method := &serverconfigs.HTTPAuthBasicMethod{
+			Users:   users,
+			Realm:   params.BasicAuthRealm,
+			Charset: params.BasicAuthCharset,
+		}
+		methodJSON, err := json.Marshal(method)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+
+		paramsJSON = methodJSON
+	case serverconfigs.HTTPAuthTypeSubRequest:
+		params.Must.Field("subRequestURL", params.SubRequestURL).
+			Require("请输入子请求URL")
+		if params.SubRequestFollowRequest {
+			params.SubRequestMethod = ""
+		}
+		method := &serverconfigs.HTTPAuthSubRequestMethod{
+			URL:    params.SubRequestURL,
+			Method: params.SubRequestMethod,
+		}
+		methodJSON, err := json.Marshal(method)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		paramsJSON = methodJSON
+	default:
+		this.Fail("不支持的认证类型'" + policyType + "'")
+	}
+
+	var paramsMap map[string]interface{}
+	err = json.Unmarshal(paramsJSON, &paramsMap)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	_, err = this.RPC().HTTPAuthPolicyRPC().UpdateHTTPAuthPolicy(this.AdminContext(), &pb.UpdateHTTPAuthPolicyRequest{
+		HttpAuthPolicyId: params.PolicyId,
+		Name:             params.Name,
+		ParamsJSON:       paramsJSON,
+		IsOn:             params.IsOn,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	ref.AuthPolicy = &serverconfigs.HTTPAuthPolicy{
+		Id:     params.PolicyId,
+		Name:   params.Name,
+		IsOn:   params.IsOn,
+		Type:   policyType,
+		Params: paramsMap,
+	}
+
+	this.Data["policyRef"] = ref
+	this.Success()
+}
diff --git a/internal/web/actions/default/servers/server/settings/locations/access/index.go b/internal/web/actions/default/servers/server/settings/locations/access/index.go
index 36a5c0e6..96f27747 100644
--- a/internal/web/actions/default/servers/server/settings/locations/access/index.go
+++ b/internal/web/actions/default/servers/server/settings/locations/access/index.go
@@ -1,7 +1,12 @@
 package access
 
 import (
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"github.com/iwind/TeaGo/actions"
 )
 
 type IndexAction struct {
@@ -9,12 +14,63 @@ type IndexAction struct {
 }
 
 func (this *IndexAction) Init() {
+	this.Nav("", "setting", "index")
+	this.SecondMenu("access")
 }
 
 func (this *IndexAction) RunGet(params struct {
-	ServerId int64
+	LocationId int64
 }) {
-	// TODO
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithLocationId(this.AdminContext(), params.LocationId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Data["webId"] = webConfig.Id
+	this.Data["authConfig"] = webConfig.Auth
 
 	this.Show()
 }
+
+func (this *IndexAction) RunPost(params struct {
+	WebId    int64
+	AuthJSON []byte
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	defer this.CreateLogInfo("修改Web %d 的认证设置", params.WebId)
+
+	var authConfig = &serverconfigs.HTTPAuthConfig{}
+	err := json.Unmarshal(params.AuthJSON, authConfig)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	err = authConfig.Init()
+	if err != nil {
+		this.Fail("配置校验失败：" + err.Error())
+	}
+
+	// 保存之前删除多于的配置信息
+	for _, ref := range authConfig.PolicyRefs {
+		ref.AuthPolicy = nil
+	}
+
+	configJSON, err := json.Marshal(authConfig)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	_, err = this.RPC().HTTPWebRPC().UpdateHTTPWebAuth(this.AdminContext(), &pb.UpdateHTTPWebAuthRequest{
+		WebId:    params.WebId,
+		AuthJSON: configJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
diff --git a/internal/web/actions/default/servers/server/settings/locations/access/init.go b/internal/web/actions/default/servers/server/settings/locations/access/init.go
index 53958c11..86cf0a22 100644
--- a/internal/web/actions/default/servers/server/settings/locations/access/init.go
+++ b/internal/web/actions/default/servers/server/settings/locations/access/init.go
@@ -16,7 +16,7 @@ func init() {
 			Helper(serverutils.NewServerHelper()).
 			Data("tinyMenuItem", "access").
 			Prefix("/servers/server/settings/locations/access").
-			Get("", new(IndexAction)).
+			GetPost("", new(IndexAction)).
 			EndAll()
 	})
 }
diff --git a/web/public/js/components/server/http-auth-basic-auth-user-box.js b/web/public/js/components/server/http-auth-basic-auth-user-box.js
new file mode 100644
index 00000000..90a1ff93
--- /dev/null
+++ b/web/public/js/components/server/http-auth-basic-auth-user-box.js
@@ -0,0 +1,101 @@
+// 基本认证用户配置
+Vue.component("http-auth-basic-auth-user-box", {
+	props: ["v-users"],
+	data: function () {
+		let users = this.vUsers
+		if (users == null) {
+			users = []
+		}
+		return {
+			users: users,
+			isAdding: false,
+			updatingIndex: -1,
+
+			username: "",
+			password: ""
+		}
+	},
+	methods: {
+		add: function () {
+			this.isAdding = true
+			this.username = ""
+			this.password = ""
+
+			let that = this
+			setTimeout(function () {
+				that.$refs.username.focus()
+			}, 100)
+		},
+		cancel: function () {
+			this.isAdding = false
+			this.updatingIndex = -1
+		},
+		confirm: function () {
+			let that = this
+			if (this.username.length == 0) {
+				teaweb.warn("请输入用户名", function () {
+					that.$refs.username.focus()
+				})
+				return
+			}
+			if (this.password.length == 0) {
+				teaweb.warn("请输入密码", function () {
+					that.$refs.password.focus()
+				})
+				return
+			}
+			if (this.updatingIndex < 0) {
+				this.users.push({
+					username: this.username,
+					password: this.password
+				})
+			} else {
+				this.users[this.updatingIndex].username = this.username
+				this.users[this.updatingIndex].password = this.password
+			}
+			this.cancel()
+		},
+		update: function (index, user) {
+			this.updatingIndex = index
+
+			this.isAdding = true
+			this.username = user.username
+			this.password = user.password
+
+			let that = this
+			setTimeout(function () {
+				that.$refs.username.focus()
+			}, 100)
+		},
+		remove: function (index) {
+			this.users.$remove(index)
+		}
+	},
+	template: `<div>
+	<input type="hidden" name="httpAuthBasicAuthUsersJSON" :value="JSON.stringify(users)"/>
+	<div v-if="users.length > 0">
+		<div class="ui label small basic" v-for="(user, index) in users">
+			{{user.username}} <a href="" title="修改" @click.prevent="update(index, user)"><i class="icon pencil tiny"></i></a>
+			<a href="" title="删除" @click.prevent="remove(index)"><i class="icon remove small"></i></a>
+		</div>
+		<div class="ui divider"></div>
+	</div>
+	<div v-show="isAdding">
+		<div class="ui fields inline">
+			<div class="ui field">
+				<input type="text" placeholder="用户名" v-model="username" size="15" ref="username"/>
+			</div>
+			<div class="ui field">
+				<input type="password" placeholder="密码" v-model="password" size="15" ref="password"/>
+			</div>
+			<div class="ui field">
+				<button class="ui button tiny" type="button" @click.prevent="confirm">确定</button>&nbsp;
+				<a href="" title="取消" @click.prevent="cancel"><i class="icon remove small"></i></a>
+			</div>
+		</div>
+	</div>
+	<div v-if="!isAdding" style="margin-top: 1em">
+		<button class="ui button tiny" type="button" @click.prevent="add">+</button>
+	</div>
+</div>`
+})
\ No newline at end of file
diff --git a/web/public/js/components/server/http-auth-config-box.js b/web/public/js/components/server/http-auth-config-box.js
index 621a3606..6d97db43 100644
--- a/web/public/js/components/server/http-auth-config-box.js
+++ b/web/public/js/components/server/http-auth-config-box.js
@@ -25,23 +25,36 @@ Vue.component("http-auth-config-box", {
 			teaweb.popup("/servers/server/settings/access/createPopup", {
 				callback: function (resp) {
 					that.authConfig.policyRefs.push(resp.data.policyRef)
-				}
+				},
+				height: "28em"
 			})
 		},
 		update: function (index, policyId) {
 			let that = this
 			teaweb.popup("/servers/server/settings/access/updatePopup?policyId=" + policyId, {
 				callback: function (resp) {
-					Vue.set(that.authConfig.policyRefs, index, resp.data.policyRef)
-				}
+					teaweb.success("保存成功", function () {
+						teaweb.reload()
+					})
+				},
+				height: "28em"
 			})
 		},
-		delete: function (index) {
-			that.authConfig.policyRefs.$remove(index)
+		remove: function (index) {
+			this.authConfig.policyRefs.$remove(index)
+		},
+		methodName: function (methodType) {
+			switch (methodType) {
+				case "basicAuth":
+					return "BasicAuth"
+				case "subRequest":
+					return "子请求"
+			}
+			return ""
 		}
 	},
 	template: `<div>
-<input type="text" name="authJSON" :value="JSON.stringify(authConfig)"/> 
+<input type="hidden" name="authJSON" :value="JSON.stringify(authConfig)"/> 
 <table class="ui table selectable definition">
 	<prior-checkbox :v-config="authConfig" v-if="vIsLocation"></prior-checkbox>
 	<tbody v-show="!vIsLocation || authConfig.isPrior">
@@ -57,24 +70,43 @@ Vue.component("http-auth-config-box", {
 	</tbody>
 </table>
 <div class="margin"></div>
-<!-- 认证方法 -->
-<div>
+<!-- 认证方式 -->
+<div v-show="isOn()">
+	<h4>认证方式</h4>
 	<table class="ui table selectable celled" v-show="authConfig.policyRefs.length > 0">
 		<thead>
 			<tr>
-				<th>认证方法</th>
+				<th class="three wide">名称</th>
+				<th class="three wide">认证方法</th>
 				<th>参数</th>
 				<th class="two wide">状态</th>
 				<th class="two op">操作</th>
 			</tr>
 		</thead>
-		<tbody v-for="ref in authConfig.policyRefs" :key="ref.authPolicyId">
+		<tbody v-for="(ref, index) in authConfig.policyRefs" :key="ref.authPolicyId">
 			<tr>
-				<td></td>
+				<td>{{ref.authPolicy.name}}</td>
+				<td>
+					{{methodName(ref.authPolicy.type)}}
+				</td>
+				<td>
+					<span v-if="ref.authPolicy.type == 'basicAuth'">{{ref.authPolicy.params.users.length}}个用户</span>
+					<span v-if="ref.authPolicy.type == 'subRequest'">
+						<span v-if="ref.authPolicy.params.method.length > 0" class="grey">[{{ref.authPolicy.params.method}}]</span>
+						{{ref.authPolicy.params.url}}
+					</span>
+				</td>
+				<td>
+					<label-on :v-is-on="ref.authPolicy.isOn"></label-on>
+				</td>
+				<td>
+					<a href="" @click.prevent="update(index, ref.authPolicyId)">修改</a> &nbsp;
+					<a href="" @click.prevent="remove(index)">删除</a>
+				</td>
 			</tr>
 		</tbody>
 	</table>
-	<button class="ui button small" type="button" @click.prevent="add">+添加认证</button>
+	<button class="ui button small" type="button" @click.prevent="add">+添加认证方式</button>
 </div>
 <div class="margin"></div>
 </div>`
diff --git a/web/views/@default/servers/server/settings/access/createPopup.html b/web/views/@default/servers/server/settings/access/createPopup.html
index 0ffd23cc..220da6da 100644
--- a/web/views/@default/servers/server/settings/access/createPopup.html
+++ b/web/views/@default/servers/server/settings/access/createPopup.html
@@ -1,33 +1,80 @@
 {$layout "layout_popup"}
 
-<h3>创建认证</h3>
+<h3>创建认证方式</h3>
 <form class="ui form" data-tea-action="$" data-tea-success="success">
     <csrf-token></csrf-token>
 
-    <table class="ui table definitions selectable">
+    <table class="ui table definition selectable">
         <tr>
             <td class="title">名称 *</td>
             <td>
-                <input type="text" name="name" maxlength="50"/>
+                <input type="text" name="name" maxlength="50" ref="focus"/>
             </td>
         </tr>
         <tr>
-            <td>类型 *</td>
+            <td>认证类型 *</td>
             <td>
-
+                <select class="ui dropdown auto-width" name="type" v-model="type" @change="changeType">
+                    <option value="">[认证类型]</option>
+                    <option v-for="authType in authTypes" :value="authType.code">{{authType.name}}</option>
+                </select>
+                <p class="comment" v-html="authDescription"></p>
             </td>
         </tr>
 
         <!-- BasicAuth -->
-        <tbody>
+        <tbody v-show="type == 'basicAuth'">
             <tr>
-                <td></td>
+                <td>用户 *</td>
+                <td>
+                    <http-auth-basic-auth-user-box></http-auth-basic-auth-user-box>
+                </td>
+            </tr>
+            <tr>
+                <td colspan="2">
+                    <a href="" @click.prevent="showMoreBasicAuthOptions()">更多选项<i class="ui icon angle" :class="{up: moreBasicAuthOptionsVisible, down: !moreBasicAuthOptionsVisible}"></i></a>
+                </td>
+            </tr>
+            <tr v-show="moreBasicAuthOptionsVisible">
+                <td>认证领域名<em>（Realm）</em></td>
+                <td>
+                    <input type="text" name="basicAuthRealm" value="" maxlength="100"/>
+                </td>
+            </tr>
+            <tr v-show="moreBasicAuthOptionsVisible">
+                <td>字符集</td>
+                <td>
+                    <input type="text" name="basicAuthCharset" style="width: 6em" maxlength="50"/>
+                    <p class="comment">类似于<code-label>UTF-8</code-label>。</p>
+                </td>
             </tr>
         </tbody>
 
         <!-- SubRequest -->
-        <tbody>
-
+        <tbody v-show="type == 'subRequest'">
+            <tr>
+                <td>子请求URL *</td>
+                <td>
+                    <input type="text" name="subRequestURL" maxlength="1024"/>
+                    <p class="comment">可以是一个完整的URL，也可以是一个路径。</p>
+                </td>
+            </tr>
+            <tr>
+                <td>请求方法</td>
+                <td>
+                    <radio name="subRequestFollowRequest" :v-value="1" v-model="subRequestFollowRequest">同当前请求一致</radio> &nbsp; &nbsp;
+                    <radio name="subRequestFollowRequest" :v-value="0" v-model="subRequestFollowRequest">自定义</radio>
+                    <div style="margin-top: 0.8em" v-show="subRequestFollowRequest == 0">
+                        <div class="ui divider"></div>
+                        <select class="ui dropdown auto-width" name="subRequestMethod">
+                            <option value="POST">POST</option>
+                            <option value="GET">GET</option>
+                            <option value="PUT">PUT</option>
+                            <option value="HEAD">HEAD</option>
+                        </select>
+                    </div>
+                </td>
+            </tr>
         </tbody>
     </table>
 
diff --git a/web/views/@default/servers/server/settings/access/createPopup.js b/web/views/@default/servers/server/settings/access/createPopup.js
index c8fe9515..fbd723d8 100644
--- a/web/views/@default/servers/server/settings/access/createPopup.js
+++ b/web/views/@default/servers/server/settings/access/createPopup.js
@@ -1,3 +1,32 @@
 Tea.context(function () {
 	this.success = NotifyPopup
+
+	this.type = ""
+	this.authDescription = ""
+
+	this.changeType = function () {
+		let that = this
+		let authType = this.authTypes.$find(function (k, v) {
+			return v.code == that.type
+		})
+		if (authType != null) {
+			this.authDescription = authType.description
+		} else {
+			this.authDescription = ""
+		}
+	}
+
+	/**
+	 * 基本认证
+	 */
+	this.moreBasicAuthOptionsVisible = false
+
+	this.showMoreBasicAuthOptions = function () {
+		this.moreBasicAuthOptionsVisible = !this.moreBasicAuthOptionsVisible
+	}
+
+	/**
+	 * 子请求
+	 */
+	this.subRequestFollowRequest = 1
 })
\ No newline at end of file
diff --git a/web/views/@default/servers/server/settings/access/index.html b/web/views/@default/servers/server/settings/access/index.html
index 2dbf3bcc..bfd895b9 100644
--- a/web/views/@default/servers/server/settings/access/index.html
+++ b/web/views/@default/servers/server/settings/access/index.html
@@ -4,6 +4,8 @@
 
 <div class="right-box">
     <form class="ui form" data-tea-action="$" data-tea-success="success">
+        <csrf-token></csrf-token>
+        <input type="hidden" name="webId" :value="webId">
         <http-auth-config-box :v-auth-config="authConfig"></http-auth-config-box>
         <submit-btn></submit-btn>
     </form>
diff --git a/web/views/@default/servers/server/settings/access/index.js b/web/views/@default/servers/server/settings/access/index.js
new file mode 100644
index 00000000..295a9aaf
--- /dev/null
+++ b/web/views/@default/servers/server/settings/access/index.js
@@ -0,0 +1,3 @@
+Tea.context(function () {
+	this.success = NotifyReloadSuccess("保存成功")
+})
\ No newline at end of file
diff --git a/web/views/@default/servers/server/settings/access/updatePopup.html b/web/views/@default/servers/server/settings/access/updatePopup.html
new file mode 100644
index 00000000..c113a6b5
--- /dev/null
+++ b/web/views/@default/servers/server/settings/access/updatePopup.html
@@ -0,0 +1,85 @@
+{$layout "layout_popup"}
+
+<h3>修改认证方式</h3>
+<form class="ui form" data-tea-action="$" data-tea-success="success">
+    <csrf-token></csrf-token>
+    <input type="hidden" name="policyId" :value="policy.id"/>
+
+    <table class="ui table definition selectable">
+        <tr>
+            <td class="title">名称 *</td>
+            <td>
+                <input type="text" name="name" maxlength="50" ref="focus" v-model="policy.name"/>
+            </td>
+        </tr>
+        <tr>
+            <td>认证类型 *</td>
+            <td>
+                {{policy.typeName}}
+                <p class="comment" v-html="authDescription"></p>
+            </td>
+        </tr>
+
+        <!-- BasicAuth -->
+        <tbody v-show="type == 'basicAuth'">
+            <tr>
+                <td>用户 *</td>
+                <td>
+                    <http-auth-basic-auth-user-box :v-users="policy.params.users"></http-auth-basic-auth-user-box>
+                </td>
+            </tr>
+            <tr>
+                <td colspan="2">
+                    <a href="" @click.prevent="showMoreBasicAuthOptions()">更多选项<i class="ui icon angle" :class="{up: moreBasicAuthOptionsVisible, down: !moreBasicAuthOptionsVisible}"></i></a>
+                </td>
+            </tr>
+            <tr v-show="moreBasicAuthOptionsVisible">
+                <td>认证领域名<em>（Realm）</em></td>
+                <td>
+                    <input type="text" name="basicAuthRealm" value="" maxlength="100" v-model="policy.params.realm"/>
+                </td>
+            </tr>
+            <tr v-show="moreBasicAuthOptionsVisible">
+                <td>字符集</td>
+                <td>
+                    <input type="text" name="basicAuthCharset" style="width: 6em" v-model="policy.params.charset" maxlength="50"/>
+                    <p class="comment">类似于<code-label>utf-8</code-label>。</p>
+                </td>
+            </tr>
+        </tbody>
+
+        <!-- SubRequest -->
+        <tbody v-show="type == 'subRequest'">
+            <tr>
+                <td>子请求URL *</td>
+                <td>
+                    <input type="text" name="subRequestURL" maxlength="1024" v-model="policy.params.url"/>
+                    <p class="comment">可以是一个完整的URL，也可以是一个路径。</p>
+                </td>
+            </tr>
+            <tr>
+                <td>请求方法</td>
+                <td>
+                    <radio name="subRequestFollowRequest" :v-value="1" v-model="subRequestFollowRequest">同当前请求一致</radio> &nbsp; &nbsp;
+                    <radio name="subRequestFollowRequest" :v-value="0" v-model="subRequestFollowRequest">自定义</radio>
+                    <div style="margin-top: 0.8em" v-show="subRequestFollowRequest == 0">
+                        <div class="ui divider"></div>
+                        <select class="ui dropdown auto-width" name="subRequestMethod" v-model="policy.params.method">
+                            <option value="">[请选择]</option>
+                            <option value="POST">POST</option>
+                            <option value="GET">GET</option>
+                            <option value="PUT">PUT</option>
+                            <option value="HEAD">HEAD</option>
+                        </select>
+                    </div>
+                </td>
+            </tr>
+        </tbody>
+        <tr>
+            <td>是否启用</td>
+            <td><checkbox name="isOn" value="1" v-model="policy.isOn"></checkbox></td>
+        </tr>
+    </table>
+
+    <submit-btn></submit-btn>
+</form>
\ No newline at end of file
diff --git a/web/views/@default/servers/server/settings/access/updatePopup.js b/web/views/@default/servers/server/settings/access/updatePopup.js
new file mode 100644
index 00000000..64e93738
--- /dev/null
+++ b/web/views/@default/servers/server/settings/access/updatePopup.js
@@ -0,0 +1,37 @@
+Tea.context(function () {
+	this.success = NotifyPopup
+
+	this.type = this.policy.type
+	this.authDescription = ""
+
+	this.$delay(function () {
+		this.changeType()
+	})
+
+	this.changeType = function () {
+		let that = this
+		let authType = this.authTypes.$find(function (k, v) {
+			return v.code == that.type
+		})
+		if (authType != null) {
+			this.policy.typeName = authType.name
+			this.authDescription = authType.description
+		} else {
+			this.authDescription = ""
+		}
+	}
+
+	/**
+	 * 基本认证
+	 */
+	this.moreBasicAuthOptionsVisible = false
+
+	this.showMoreBasicAuthOptions = function () {
+		this.moreBasicAuthOptionsVisible = !this.moreBasicAuthOptionsVisible
+	}
+
+	/**
+	 * 子请求
+	 */
+	this.subRequestFollowRequest = (this.policy.params.method != null && this.policy.params.method.length > 0) ? 0 : 1
+})
\ No newline at end of file
diff --git a/web/views/@default/servers/server/settings/locations/access/index.html b/web/views/@default/servers/server/settings/locations/access/index.html
index bda437b6..f1f6456b 100644
--- a/web/views/@default/servers/server/settings/locations/access/index.html
+++ b/web/views/@default/servers/server/settings/locations/access/index.html
@@ -1,13 +1,16 @@
 {$layout}
-
 {$template "/left_menu"}
 
 <div class="right-box">
-	{$template "../location_menu"}
-	{$template "../left_menu"}
+    {$template "../location_menu"}
+    {$template "../left_menu"}
 
-	<div class="right-box tiny">
-		<div class="margin"></div>
-		<p class="ui message">此功能暂未开放，敬请期待。</p>
-	</div>
+    <div class="right-box tiny">
+        <form class="ui form" data-tea-action="$" data-tea-success="success">
+            <csrf-token></csrf-token>
+            <input type="hidden" name="webId" :value="webId">
+            <http-auth-config-box :v-auth-config="authConfig" :v-is-location="true"></http-auth-config-box>
+            <submit-btn></submit-btn>
+        </form>
+    </div>
 </div>
\ No newline at end of file
diff --git a/web/views/@default/servers/server/settings/locations/access/index.js b/web/views/@default/servers/server/settings/locations/access/index.js
new file mode 100644
index 00000000..295a9aaf
--- /dev/null
+++ b/web/views/@default/servers/server/settings/locations/access/index.js
@@ -0,0 +1,3 @@
+Tea.context(function () {
+	this.success = NotifyReloadSuccess("保存成功")
+})
\ No newline at end of file