Springboot敏感字段脱敏的实现思路 Springboot敏感字段脱敏的实现思

生产环境用户的隐私数据，比如手机号、身份证或者一些账号配置等信息，入库时都要进行不落地脱敏，也就是在进入我们系统时就要实时的脱敏处理。
【Springboot敏感字段脱敏的实现思路】用户数据进入系统，脱敏处理后持久化到数据库，用户查询数据时还要进行反向解密。这种场景一般需要全局处理，那么用AOP切面来实现在适合不过了。
首先自定义两个注解@EncryptField、@EncryptMethod分别用在字段属性和方法上，实现思路很简单，只要方法上应用到@EncryptMethod注解，则检查入参字段是否标注@EncryptField注解，有则将对应字段内容加密。

@Documented@Target({ElementType.FIELD,ElementType.PARAMETER})@Retention(RetentionPolicy.RUNTIME)public @interface EncryptField { String[] value() default ""; }

@Documented@Target({ElementType.METHOD})@Retention(RetentionPolicy.RUNTIME)public @interface EncryptMethod { String type() default ENCRYPT; }

切面的实现也比较简单，对入参加密，返回结果解密。

import com.xiaofu.annotation.EncryptField; import com.xiaofu.annotation.EncryptMethod; import lombok.extern.slf4j.Slf4j; import org.aspectj.lang.ProceedingJoinPoint; import org.aspectj.lang.annotation.*; import org.aspectj.lang.reflect.MethodSignature; import org.jasypt.encryption.StringEncryptor; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.springframework.util.SerializationUtils; import java.lang.reflect.Field; import java.util.*; import static com.xiaofu.enums.EncryptConstant.DECRYPT; import static com.xiaofu.enums.EncryptConstant.ENCRYPT; @Slf4j@Aspect@Componentpublic class EncryptHandler { @Autowiredprivate StringEncryptor stringEncryptor; @Pointcut("@annotation(com.xiaofu.annotation.EncryptMethod)")public void pointCut() {} @Around("pointCut()")public Object around(ProceedingJoinPoint joinPoint) {/*** 加密*/encrypt(joinPoint); /*** 解密*/Object decrypt = decrypt(joinPoint); return decrypt; } public void encrypt(ProceedingJoinPoint joinPoint) { try {Object[] objects = joinPoint.getArgs(); if (objects.length != 0) {for (Object o : objects) {if (o instanceof String) {encryptValue(o); } else {handler(o, ENCRYPT); }//TODO 其余类型自己看实际情况加}}} catch (IllegalAccessException e) {e.printStackTrace(); }} public Object decrypt(ProceedingJoinPoint joinPoint) {Object result = null; try {Object obj = joinPoint.proceed(); if (obj != null) {if (obj instanceof String) {decryptValue(obj); } else {result = handler(obj, DECRYPT); }//TODO 其余类型自己看实际情况加}} catch (Throwable e) {e.printStackTrace(); }return result; } private Object handler(Object obj, String type) throws IllegalAccessException { if (Objects.isNull(obj)) {return null; }Field[] fields = obj.getClass().getDeclaredFields(); for (Field field : fields) {boolean hasSecureField = field.isAnnotationPresent(EncryptField.class); if (hasSecureField) {field.setAccessible(true); String realValue = https://www.it610.com/article/(String) field.get(obj); String value; if (DECRYPT.equals(type)) {value = stringEncryptor.decrypt(realValue); } else {value = stringEncryptor.encrypt(realValue); }field.set(obj, value); }}return obj; } public String encryptValue(Object realValue) {String value = null; try {value = stringEncryptor.encrypt(String.valueOf(realValue)); } catch (Exception ex) {return value; }return value; } public String decryptValue(Object realValue) {String value = String.valueOf(realValue); try {value = stringEncryptor.decrypt(value); } catch (Exception ex) {return value; }return value; }}

紧接着测试一下切面注解的效果，我们对字段mobile、address加上注解@EncryptField做脱敏处理。

@EncryptMethod@PostMapping(value = "https://www.it610.com/article/test")@ResponseBodypublic Object testEncrypt(@RequestBody UserVo user, @EncryptField String name) { return insertUser(user, name); } private UserVo insertUser(UserVo user, String name) {System.out.println("加密后的数据：user" + JSON.toJSONString(user)); return user; } @Datapublic class UserVo implements Serializable { private Long userId; @EncryptFieldprivate String mobile; @EncryptFieldprivate String address; private String age; }

请求这个接口，看到参数被成功加密，而返回给用户的数据依然是脱敏前的数据，符合我们的预期，那到这简单的脱敏实现就完事了。