diff --git a/src/main/java/com/youlai/boot/common/result/ResponseWriter.java b/src/main/java/com/youlai/boot/common/result/ResponseWriter.java
index 2bec9994..9b033990 100644
--- a/src/main/java/com/youlai/boot/common/result/ResponseWriter.java
+++ b/src/main/java/com/youlai/boot/common/result/ResponseWriter.java
@@ -69,7 +69,7 @@ public final class ResponseWriter {
         Result<?> result = message == null
                 ? Result.failed(resultCode)
                 : Result.failed(resultCode, message);
-        
+
         int httpStatus = mapHttpStatus(resultCode);
         writeResult(response, result, httpStatus);
     }
@@ -85,11 +85,11 @@ public final class ResponseWriter {
         try {
             // 设置HTTP状态码
             response.setStatus(httpStatus);
-            
+
             // 设置响应编码和内容类型
             response.setCharacterEncoding(StandardCharsets.UTF_8.toString());
             response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-            
+
             // 写入响应
             JakartaServletUtil.write(response,
                     JSONUtil.toJsonStr(result),
@@ -103,6 +103,9 @@ public final class ResponseWriter {
 
     /**
      * 根据业务结果码映射HTTP状态码
+     * 401: 未认证（token无效/过期）
+     * 403: 权限不足
+     * 400: 其他业务错误
      *
      * @param resultCode 业务结果码
      * @return HTTP状态码
@@ -110,9 +113,10 @@ public final class ResponseWriter {
     private static int mapHttpStatus(ResultCode resultCode) {
         return switch (resultCode) {
             case ACCESS_UNAUTHORIZED,
-                    ACCESS_TOKEN_INVALID,
-                    REFRESH_TOKEN_INVALID -> HttpStatus.UNAUTHORIZED.value();
+                 ACCESS_TOKEN_INVALID,
+                 REFRESH_TOKEN_INVALID -> HttpStatus.UNAUTHORIZED.value();
+            case ACCESS_PERMISSION_EXCEPTION -> HttpStatus.FORBIDDEN.value();
             default -> HttpStatus.BAD_REQUEST.value();
         };
     }
-}
\ No newline at end of file
+}
diff --git a/src/main/java/com/youlai/boot/framework/security/handler/MyAccessDeniedHandler.java b/src/main/java/com/youlai/boot/framework/security/handler/MyAccessDeniedHandler.java
index 6da8be19..712cc0a4 100644
--- a/src/main/java/com/youlai/boot/framework/security/handler/MyAccessDeniedHandler.java
+++ b/src/main/java/com/youlai/boot/framework/security/handler/MyAccessDeniedHandler.java
@@ -18,7 +18,8 @@ public class MyAccessDeniedHandler implements AccessDeniedHandler {
 
     @Override
     public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) {
-        ResponseWriter.writeError(response, ResultCode.ACCESS_UNAUTHORIZED);
+        // 权限不足返回 403 Forbidden
+        ResponseWriter.writeError(response, ResultCode.ACCESS_PERMISSION_EXCEPTION);
     }
 
 }