diff --git a/api/lib/perm/acl/__init__.py b/api/lib/perm/acl/__init__.py
index 380474e..543604e 100644
--- a/api/lib/perm/acl/__init__.py
+++ b/api/lib/perm/acl/__init__.py
@@ -1 +1,23 @@
 # -*- coding:utf-8 -*-
+
+
+from functools import wraps
+
+from flask import request
+from flask import abort
+
+from api.lib.perm.acl.cache import AppCache
+
+
+def validate_app(func):
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        app_id = request.values.get('app_id')
+        app = AppCache.get(app_id)
+        if app is None:
+            return abort(400, "App <{0}> does not exist".format(app_id))
+        request.values['app_id'] = app.id
+
+        return func(*args, **kwargs)
+
+    return wrapper
diff --git a/api/lib/perm/acl/cache.py b/api/lib/perm/acl/cache.py
index bc0cb70..d2b8a4f 100644
--- a/api/lib/perm/acl/cache.py
+++ b/api/lib/perm/acl/cache.py
@@ -1,11 +1,37 @@
 # -*- coding:utf-8 -*-
 
 from api.extensions import cache
+from api.models.acl import App
 from api.models.acl import Permission
 from api.models.acl import Role
 from api.models.acl import User
 
 
+class AppCache(object):
+    PREFIX_ID = "App::id::{0}"
+    PREFIX_NAME = "App::name::{0}"
+
+    @classmethod
+    def get(cls, key):
+        app = cache.get(cls.PREFIX_ID.format(key)) or cache.get(cls.PREFIX_NAME.format(key))
+        if app is None:
+            app = App.get_by_id(key) or App.get_by(name=key, to_dict=False, first=True)
+        if app is not None:
+            cls.set(app)
+
+        return app
+
+    @classmethod
+    def set(cls, app):
+        cache.set(cls.PREFIX_ID.format(app.id), app)
+        cache.set(cls.PREFIX_NAME.format(app.name), app)
+
+    @classmethod
+    def clean(cls, app):
+        cache.delete(cls.PREFIX_ID.format(app.id))
+        cache.delete(cls.PREFIX_NAME.format(app.name))
+
+
 class UserCache(object):
     PREFIX_ID = "User::uid::{0}"
     PREFIX_NAME = "User::username::{0}"
diff --git a/api/lib/perm/acl/resource.py b/api/lib/perm/acl/resource.py
index 9826d65..6800820 100644
--- a/api/lib/perm/acl/resource.py
+++ b/api/lib/perm/acl/resource.py
@@ -156,6 +156,3 @@ class ResourceCRUD(object):
         resource = Resource.get_by_id(_id) or abort(404, "Resource <{0}> is not found".format(_id))
 
         resource.soft_delete()
-
-
-
diff --git a/api/views/acl/__init__.py b/api/views/acl/__init__.py
index e3c651d..380474e 100644
--- a/api/views/acl/__init__.py
+++ b/api/views/acl/__init__.py
@@ -1,3 +1 @@
 # -*- coding:utf-8 -*-
-
-__author__ = 'pycook'
diff --git a/api/views/acl/resource.py b/api/views/acl/resources.py
similarity index 96%
rename from api/views/acl/resource.py
rename to api/views/acl/resources.py
index 91f9c84..3b7bae8 100644
--- a/api/views/acl/resource.py
+++ b/api/views/acl/resources.py
@@ -3,6 +3,7 @@
 from flask import request
 
 from api.lib.decorator import args_required
+from api.lib.perm.acl import validate_app
 from api.lib.perm.acl.resource import ResourceCRUD
 from api.lib.perm.acl.resource import ResourceGroupCRUD
 from api.lib.utils import get_page
@@ -15,6 +16,7 @@ class ResourceView(APIView):
     url_prefix = ("/resources", "/resources/<int:resource_id>")
 
     @args_required('app_id')
+    @validate_app
     def get(self):
         page = get_page(request.values.get("page", 1))
         page_size = get_page_size(request.values.get("page_size"))
@@ -31,6 +33,7 @@ class ResourceView(APIView):
     @args_required('name')
     @args_required('type_id')
     @args_required('app_id')
+    @validate_app
     def post(self):
         name = request.values.get('name')
         type_id = request.values.get('type_id')
@@ -57,6 +60,7 @@ class ResourceView(APIView):
 class ResourceGroupView(APIView):
     url_prefix = ("/resource_groups", "/resource_groups/<int:group_id>")
 
+    @validate_app
     def get(self):
         page = get_page(request.values.get("page", 1))
         page_size = get_page_size(request.values.get("page_size"))
@@ -73,6 +77,7 @@ class ResourceGroupView(APIView):
     @args_required('name')
     @args_required('type_id')
     @args_required('app_id')
+    @validate_app
     def post(self):
         name = request.values.get('name')
         type_id = request.values.get('type_id')
diff --git a/api/views/acl/role.py b/api/views/acl/role.py
index ca59e5a..6015d37 100644
--- a/api/views/acl/role.py
+++ b/api/views/acl/role.py
@@ -3,6 +3,7 @@
 from flask import request
 
 from api.lib.decorator import args_required
+from api.lib.perm.acl import validate_app
 from api.lib.perm.acl.role import RoleCRUD
 from api.lib.perm.acl.role import RoleRelationCRUD
 from api.lib.utils import get_page
@@ -14,6 +15,7 @@ class RoleView(APIView):
     url_prefix = ("/roles", "/roles/<int:rid>")
 
     @args_required('app_id')
+    @validate_app
     def get(self):
         page = get_page(request.values.get("page", 1))
         page_size = get_page_size(request.values.get("page_size"))
@@ -32,6 +34,7 @@ class RoleView(APIView):
 
     @args_required('name')
     @args_required('app_id')
+    @validate_app
     def post(self):
         name = request.values.get('name')
         app_id = request.values.get('app_id')