SpringBoot 實作資料加密脫敏(注解 + 反射 + AOP)
場景:響應政府要求,商業軟體應保證使用者基本資訊不被洩露,不能直接展示使用者手機号,身份證,位址等敏感資訊。
根據上面場景描述,我們可以分析出兩個點。
- 不被洩露說明使用者資訊應被加密儲存;
- 不能直接展示說明使用者資訊應脫敏展示;
解決方案
- 傻瓜式程式設計:将項目中關于使用者資訊實體類的字段,比如姓名,手機号,身份證,位址等,在新增進資料庫之前,對資料進行加密處理;在清單中展示使用者資訊時,對資料庫中的資料進行解密脫敏,然後傳回給前端;
- 切入式程式設計:将項目中關于使用者資訊實體類的字段用注解給标記,新增使用者資訊實體類(這裡我們用UserBO來表示,給UserBO裡面的name,phone字段添加@EncryptField),傳回使用者資訊實體類(這裡我們用UserDO來表示,給UserDO裡面的name,phone字段添加@DecryptField);然後利用@EncryptField,@DecryptField做為切入點,以切面的形式實作加密,解密脫敏;
傻瓜式程式設計不是說傻,而是相當于切入式程式設計,傻瓜式程式設計需要對使用者資訊相關的所有接口進行加密,解密脫敏的邏輯處理,這裡改動的地方就比較多,風險高,重複操作相同的邏輯,工作量大,後期不好維護;切入式程式設計隻需要對使用者資訊字段添加注解,對有注解的字段統一進行加密,解密脫敏邏輯處理,操作友善,高聚合,易維護;
方案實作
傻瓜式程式設計沒什麼難度,這裡我給大家有切入式程式設計來實作;在實作之前,跟大家預熱一下注解,反射,AOP的知識;
注解實戰
建立注解
建立一個隻能标記在方法上的注解:
java複制代碼package com.weige.javaskillpoint.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.METHOD) //METHOD 說明該注解隻能用在方法上
@Retention(RetentionPolicy.RUNTIME) //RUNTIME 說明該注解在運作時生效
public @interface Encryption {
}
建立一個隻能标記在字段上的注解:
java複制代碼package com.weige.javaskillpoint.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.FIELD) //FIELD 說明該注解隻能用在字段上
@Retention(RetentionPolicy.RUNTIME) //RUNTIME 說明該注解在運作時生效
public @interface EncryptField {
}
建立一個标記在字段上,且有值的注解:
java複制代碼package com.weige.javaskillpoint.annotation;
import com.weige.javaskillpoint.enums.DesensitizationEnum;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.FIELD)
@Retention(RetentionPolicy.RUNTIME)
public @interface DecryptField {
// 注解是可以有值的,這裡可以為數組,String,枚舉等類型
// DesensitizationEnum desensitizationEnum = field.getAnnotation(DecryptField.class).value(); 這裡的field是指目前标記的字段
DesensitizationEnum value();
}
注解使用
建立枚舉
java複制代碼package com.weige.javaskillpoint.enums;
public enum DesensitizationEnum {
name, // 使用者資訊姓名脫敏
address, // 使用者資訊位址脫敏
phone; // 使用者資訊手機号脫敏
}
建立UserDO類
java複制代碼package com.weige.javaskillpoint.entity;
import com.weige.javaskillpoint.annotation.DecryptField;
import com.weige.javaskillpoint.enums.DesensitizationEnum;
import com.weige.javaskillpoint.utils.AesUtil;
import java.lang.reflect.Field;
// 使用者資訊傳回實體類
public class UserDO {
@DecryptField(DesensitizationEnum.name)
private String name;
@DecryptField(DesensitizationEnum.address)
private String address;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getAddress() {
return address;
}
public void setAddress(String address) {
this.address = address;
}
public UserDO(String name, String address) {
this.name = name;
this.address = address;
}
public static void main(String[] args) throws IllegalAccessException {
// 生成并初始化對象
UserDO userDO = new UserDO("夢想是什麼","湖北省武漢市");
// 反射擷取目前對象的所有字段
Field[] fields = userDO.getClass().getDeclaredFields();
// 周遊字段
for (Field field : fields) {
// 判斷字段上是否存在@DecryptField注解
boolean hasSecureField = field.isAnnotationPresent(DecryptField.class);
// 存在
if (hasSecureField) {
// 暴力破解 不然操作不了權限為private的字段
field.setAccessible(true);
// 如果目前字段在userDo中不為空 即name,address字段有值
if (field.get(userDO) != null) {
// 擷取字段上注解的value值
DesensitizationEnum desensitizationEnum = field.getAnnotation(DecryptField.class).value();
// 控制台輸出
System.out.println(desensitizationEnum);
// 根據不同的value值 我們可以對字段進行不同邏輯的脫敏 比如姓名脫敏-魏*,手機号脫敏-187****2275
}
}
}
}
}
反射實戰
建立UserBO類
java複制代碼package com.weige.javaskillpoint.entity;
import com.weige.javaskillpoint.annotation.EncryptField;
import java.lang.reflect.Field;
// 使用者資訊新增實體類
public class UserBO {
@EncryptField
private String name;
@EncryptField
private String address;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getAddress() {
return address;
}
public void setAddress(String address) {
this.address = address;
}
public UserBO(String name, String address) {
this.name = name;
this.address = address;
}
@Override
public String toString() {
return "UserBO{" +
"name='" + name + '\'' +
", address='" + address + '\'' +
'}';
}
public static void main(String[] args) throws IllegalAccessException {
UserBO userBO = new UserBO("周傳雄","湖北省武漢市");
Field[] fields = userBO.getClass().getDeclaredFields();
for (Field field : fields) {
boolean annotationPresent = field.isAnnotationPresent(EncryptField.class);
if(annotationPresent){
// 目前字段内容不為空
if(field.get(userBO) != null){
// 這裡對字段内容進行加密
Object obj = encrypt(field.get(userBO));
// 字段内容加密過後 通過反射重新賦給該字段
field.set(userBO, obj);
}
}
}
System.out.println(userBO);
}
public static Object encrypt(Object obj){
return "加密: " + obj;
}
}
AOP實戰
切入點:
java複制代碼package com.weige.javaskillpoint.controller;
import com.weige.javaskillpoint.annotation.Encryption;
import com.weige.javaskillpoint.entity.UserBO;
import lombok.extern.slf4j.Slf4j;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/encrypt")
@Slf4j
public class EncryptController {
@PostMapping("/v1")
@Encryption // 切入點
public UserBO insert(@RequestBody UserBO user) {
log.info("加密後對象:{}", user);
return user;
}
}
切面:
java複制代碼package com.weige.javaskillpoint.aop;
import lombok.extern.slf4j.Slf4j;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.stereotype.Component;
@Slf4j
@Aspect
@Component
public class EncryptAspect {
//攔截需加密注解 切入點
@Pointcut("@annotation(com.weige.javaskillpoint.annotation.Encryption)")
public void point() {
}
@Around("point()") //環繞通知
public Object around(ProceedingJoinPoint joinPoint) throws Throwable {
//加密邏輯處理
encrypt(joinPoint);
return joinPoint.proceed();
}
}
為什麼這裡要使用AOP:無論是注解,反射,都需要一個啟動方法,我上面示範的是通過main函數來啟動。使用AOP,項目啟動後,隻要調用切入點對應的方法,就會根據切入點來形成一個切面,進行統一的邏輯增強;如果大家熟悉SpringMVC,SpringMVC提供了 ResponseBodyAdvice 和 RequestBodyAdvice兩個接口,這兩個接口可以對請求和響應進行預處理,就可以不需要使用AOP;
加密解密脫敏實戰
項目目錄:
pom.xml檔案:
java複制代碼<dependencies>
<!--Springboot項目自帶 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<!--Springboot Web項目 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--lombok -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.22</version>
</dependency>
<!-- hutool -->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.7.20</version>
</dependency>
<!-- 切面 aop -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.9.7</version>
</dependency>
</dependencies>
實體類
使用者資訊新增實體類 :UserBO
java複制代碼package com.weige.javaskillpoint.entity;
import com.weige.javaskillpoint.annotation.EncryptField;
// 實體類
public class UserBO {
@EncryptField
private String name;
@EncryptField
private String address;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getAddress() {
return address;
}
public void setAddress(String address) {
this.address = address;
}
public UserBO(String name, String address) {
this.name = name;
this.address = address;
}
@Override
public String toString() {
return "UserBO{" +
"name='" + name + '\'' +
", address='" + address + '\'' +
'}';
}
}
使用者資訊傳回實體類 :UserDO
java複制代碼package com.weige.javaskillpoint.entity;
import com.weige.javaskillpoint.annotation.DecryptField;
import com.weige.javaskillpoint.enums.DesensitizationEnum;
// 實體類
public class UserDO {
@DecryptField(DesensitizationEnum.name)
private String name;
@DecryptField(DesensitizationEnum.address)
private String address;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getAddress() {
return address;
}
public void setAddress(String address) {
this.address = address;
}
public UserDO(String name, String address) {
this.name = name;
this.address = address;
}
}
脫敏枚舉
java複制代碼package com.weige.javaskillpoint.enums;
public enum DesensitizationEnum {
name,
address,
phone;
}
注解
解密字段注解(字段):
java複制代碼package com.weige.javaskillpoint.annotation;
import com.weige.javaskillpoint.enums.DesensitizationEnum;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.FIELD)
@Retention(RetentionPolicy.RUNTIME)
public @interface DecryptField {
DesensitizationEnum value();
}
解密方法注解(方法 作切入點):
java複制代碼package com.weige.javaskillpoint.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface Decryption {
}
加密字段注解(字段):
java複制代碼package com.weige.javaskillpoint.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.FIELD)
@Retention(RetentionPolicy.RUNTIME)
public @interface EncryptField {
}
加密方法注解(方法 作切入點):
java複制代碼package com.weige.javaskillpoint.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface Encryption {
}
控制層
解密 Controller:
java複制代碼package com.weige.javaskillpoint.controller;
import com.weige.javaskillpoint.annotation.Decryption;
import com.weige.javaskillpoint.entity.UserDO;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/decrypt")
public class DecryptController {
@GetMapping("/v1")
@Decryption
public UserDO decrypt() {
return new UserDO("7c29e296e92893476db5f9477480ba7f", "b5c7ff86ac36c01dda45d9ffb0bf73194b083937349c3901f571d42acdaa7bae");
}
}
加密 Controller:
java複制代碼package com.weige.javaskillpoint.controller;
import com.weige.javaskillpoint.annotation.Encryption;
import com.weige.javaskillpoint.entity.UserBO;
import lombok.extern.slf4j.Slf4j;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/encrypt")
@Slf4j
public class EncryptController {
@PostMapping("/v1")
@Encryption
public UserBO insert(@RequestBody UserBO user) {
log.info("加密後對象:{}", user);
return user;
}
}
切面
解密脫敏切面:
java複制代碼package com.weige.javaskillpoint.aop;
import com.weige.javaskillpoint.annotation.DecryptField;
import com.weige.javaskillpoint.enums.DesensitizationEnum;
import com.weige.javaskillpoint.utils.AesUtil;
import lombok.extern.slf4j.Slf4j;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.stereotype.Component;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
@Slf4j
@Aspect
@Component
public class DecryptAspect {
//攔截需解密注解
@Pointcut("@annotation(com.weige.javaskillpoint.annotation.Decryption)")
public void point() {
}
@Around("point()")
public Object around(ProceedingJoinPoint joinPoint) throws Throwable {
//解密
return decrypt(joinPoint);
}
public Object decrypt(ProceedingJoinPoint joinPoint) {
Object result = null;
try {
Object obj = joinPoint.proceed();
if (obj != null) {
//抛磚引玉 ,可自行擴充其他類型字段的判斷
if (obj instanceof String) {
decryptValue();
} else {
result = decryptData(obj);
}
}
} catch (Throwable e) {
e.printStackTrace();
}
return result;
}
private Object decryptData(Object obj) throws IllegalAccessException {
if (Objects.isNull(obj)) {
return null;
}
if (obj instanceof ArrayList) {
decryptList(obj);
} else {
decryptObj(obj);
}
return obj;
}
private void decryptObj(Object obj) throws IllegalAccessException {
Field[] fields = obj.getClass().getDeclaredFields();
for (Field field : fields) {
boolean hasSecureField = field.isAnnotationPresent(DecryptField.class);
if (hasSecureField) {
field.setAccessible(true);
if (field.get(obj) != null) {
String realValue = (String) field.get(obj);
DesensitizationEnum desensitizationEnum = field.getAnnotation(DecryptField.class).value();
String value = (String) AesUtil.decrypt(realValue,desensitizationEnum);
field.set(obj, value);
}
}
}
}
private void decryptList(Object obj) throws IllegalAccessException {
List<Object> result = new ArrayList<>();
if (obj instanceof ArrayList) {
result.addAll((Collection<?>) obj);
}
for (Object object : result) {
decryptObj(object);
}
}
private void decryptValue() {
log.info("根據對象進行解密脫敏,單個字段不做處理!");
}
}
加密切面:
java複制代碼package com.weige.javaskillpoint.aop;
import com.weige.javaskillpoint.annotation.EncryptField;
import com.weige.javaskillpoint.entity.UserBO;
import com.weige.javaskillpoint.utils.AesUtil;
import lombok.extern.slf4j.Slf4j;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.stereotype.Component;
import java.lang.reflect.Field;
@Slf4j
@Aspect
@Component
public class EncryptAspect {
//攔截需加密注解
@Pointcut("@annotation(com.weige.javaskillpoint.annotation.Encryption)")
public void point() {
}
@Around("point()")
public Object around(ProceedingJoinPoint joinPoint) throws Throwable {
//加密
encrypt(joinPoint);
return joinPoint.proceed();
}
public void encrypt(ProceedingJoinPoint joinPoint) {
Object[] objects;
try {
objects = joinPoint.getArgs();
if (objects.length != 0) {
for (Object object : objects) {
if (object instanceof UserBO) {
Field[] fields = object.getClass().getDeclaredFields();
for (Field field : fields) {
if (field.isAnnotationPresent(EncryptField.class)) {
field.setAccessible(true);
if (field.get(object) != null) {
// 進行加密
Object o = field.get(object);
Object encrypt = AesUtil.encrypt(field.get(object));
field.set(object, encrypt);
}
}
}
}
}
}
} catch (Exception e) {
log.error(e.getMessage());
}
}
}
工具類
加密工具類:AesUtil
java複制代碼package com.weige.javaskillpoint.utils;
import cn.hutool.core.util.CharsetUtil;
import cn.hutool.crypto.SecureUtil;
import cn.hutool.crypto.symmetric.AES;
import com.weige.javaskillpoint.enums.DesensitizationEnum;
public class AesUtil {
// 預設16位 或 128 256位
public static String AES_KEY = "Wk#qerdfdshbd910";
public static AES aes = SecureUtil.aes(AES_KEY.getBytes());
public static Object encrypt(Object obj) {
return aes.encryptHex((String) obj);
}
public static Object decrypt(Object obj, DesensitizationEnum desensitizationEnum) {
// 解密
Object decrypt = decrypt(obj);
// 脫敏
return DesensitizationUtil.desensitization(decrypt, desensitizationEnum);
}
public static Object decrypt(Object obj) {
return aes.decryptStr((String) obj, CharsetUtil.CHARSET_UTF_8);
}
}
脫敏工具類:DesensitizationUtil
java複制代碼package com.weige.javaskillpoint.utils;
import cn.hutool.core.util.StrUtil;
import com.weige.javaskillpoint.enums.DesensitizationEnum;
public class DesensitizationUtil {
public static Object desensitization(Object obj, DesensitizationEnum desensitizationEnum) {
Object result;
switch (desensitizationEnum) {
case name:
result = strUtilHide(obj, 1);
break;
case address:
result = strUtilHide(obj, 3);
break;
default:
result = "";
}
return result;
}
/**
* start從0開始
*/
public static Object strUtilHide(String obj, int start, int end) {
return StrUtil.hide(obj, start, end);
}
public static Object strUtilHide(Object obj, int start) {
return strUtilHide(((String) obj), start, ((String) obj).length());
}
}
完結
以上代碼不難,大夥複制到本地跑一遍,基本就能了解;願每一位程式員少走彎路!