本文主要是介绍SpringBoot项目集成数据脱敏(密码加密)功能,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
代码连接【https://gitee.com/pengmqqq/sensitive-data-encryption】
介绍
后端敏感数据加密的一些解决方案,包括:
- 配置文件敏感数据加解密
- 前端传输敏感数据加解密
- 数据库获取的敏感数据加解密
软件架构
配置文件数据脱敏: Jasypt + AES
前后端传输以及数据库存储数据脱敏:AOP + AES
使用说明
-
配置文件数据脱敏
将需要脱敏的数据进行加密之后再放入配置文件(注意要使用解密算法配套的加密算法)例如:
test:password: Enc(TRBkk56w91m0bFOWzidFDQ==) -
前后端传输以及数据库存储数据脱敏:
在需要加密/解密的属性/参数上增加注解 @EncryptField
@Data @Accessors(chain = true) public class User {private Integer id;private String name;@EncryptFieldprivate String phone;@EncryptFieldprivate String email;private Integer age; }在需要对参数加密的方法上增加注解 @NeedEncrypt
@NeedEncrypt public void addAll(List<User> user) {users.addAll(user);System.out.println(""); }在需要对返回值解密的方法上增加注解 @NeedDecrypt
例如某些需要访问第三方平台的操作,从数据库取到的是加密的数据,代码中需要进行解密再发送给第三方平台进行认证
@NeedDecrypt public List<User> findAll() {ArrayList<User> list = new ArrayList<>(users);return list; }
实现方案
配置文件数据脱敏:
-
pom文件引入依赖:
<!-- 依赖aop --> <dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-aop</artifactId> </dependency> <dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional> </dependency> <!--配置密码加密--> <dependency><groupId>com.github.ulisesbocchio</groupId><artifactId>jasypt-spring-boot-starter</artifactId><version>3.0.4</version> </dependency> -
配置文件 application.yml 新增jasypt相关配置:
jasypt:encryptor:property:# 算法识别的前后缀,默认ENC(),包含在前后缀的加密信息,会使用指定算法解密prefix: Enc(suffix: )bean: desencrypt # 指定自定义加密算法的beantest:password: Enc(TRBkk56w91m0bFOWzidFDQ==) # 加密数据 -
新增自定义算法类:
@Component("desencrypt") public class JasyptAlgorithmConfig implements StringEncryptor {@Overridepublic String encrypt(String message) {return AESUtils.encrypt(message,AESUtils.getKey());}@Overridepublic String decrypt(String encryptedMessage) {return AESUtils.decrypt(encryptedMessage,AESUtils.getKey());} -
新增加密工具类:
public class AESUtils {private static final String USER_PWD_KEY = "g32DHJC4x8MAOdER";private static final Charset CHARSET = Charset.forName("UTF-8");// 加密算法名称private static final String AES = "AES";// 偏移量-AES 128位数据块对应偏移量为16位字符串private static final String IV = "70f5zbDJK9xXAJ5C";// AES-加密方式, CBC-工作模式,PKCS5Padding-填充模式private static final String AES_CBC_PKCS5PADDING = "AES/CBC/PKCS5Padding";/*** AES 加密操作** @param content 待加密内容* @param key 加密密钥* @return 返回Base64转码后的加密数据*/public static String encrypt(String content, String key) {if (StringUtils.isEmpty(content)) {return content;}try {/** 新建一个密码编译器的实例,由三部分构成,用"/"分隔,分别代表如下* 1. 加密的类型(如AES,DES,RC2等)* 2. 模式(AES中包含ECB,CBC,CFB,CTR,CTS等)* 3. 补码方式(包含nopadding/PKCS5Padding等等)* 依据这三个参数可以创建很多种加密方式*/Cipher cipher = Cipher.getInstance(AES_CBC_PKCS5PADDING);//偏移量IvParameterSpec zeroIv = new IvParameterSpec(IV.getBytes(CHARSET));byte[] byteContent = content.getBytes(CHARSET);//使用加密秘钥SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(CHARSET), AES);//SecretKeySpec skeySpec = getSecretKey(key);cipher.init(Cipher.ENCRYPT_MODE, skeySpec, zeroIv); // 初始化为加密模式的密码器byte[] result = cipher.doFinal(byteContent); // 加密return Base64.encodeBase64String(result); //通过Base64转码返回} catch (Exception ex) {throw new RuntimeException(ex);}}/*** AES 解密操作** @param content* @param key* @return*/public static String decrypt(String content, String key) {if (StringUtils.isEmpty(content)) {return content;}try {Cipher cipher = Cipher.getInstance(AES_CBC_PKCS5PADDING);IvParameterSpec zeroIv = new IvParameterSpec(IV.getBytes(CHARSET));SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(CHARSET), AES);//SecretKeySpec skeySpec = getSecretKey(key);cipher.init(Cipher.DECRYPT_MODE, skeySpec, zeroIv);byte[] result = cipher.doFinal(Base64.decodeBase64(content));return new String(result, CHARSET);} catch (Exception ex) {throw new RuntimeException(ex);}}public static String getKey(){return USER_PWD_KEY;} }
前后但接口以及数据库存储数据加密:
-
新增三个注解
-
@EncryptField
/*** 安全字段注解* 加在需要加密/解密的属性/参数上* 实现自动加密解密*/ @Target({ElementType.FIELD,ElementType.PARAMETER}) @Retention(RetentionPolicy.RUNTIME) public @interface EncryptField {String[] value() default ""; } -
@NeedDecrypt
/*** 安全字段注解* 加在需要解密的方法参数上* 实现自动解密*/ @Target({ElementType.METHOD}) @Retention(RetentionPolicy.RUNTIME) public @interface NeedDecrypt { } -
@NeedEncrypt
/*** 安全字段注解* 加在需要加密的方法参数上* 实现自动加密*/ @Target({ElementType.METHOD}) @Retention(RetentionPolicy.RUNTIME) public @interface NeedEncrypt { }
-
-
新增两个切面类
-
EncryptAspect
/*** @author 17540* 对加了@NeedEncrypt注释的方法的参数进行扫描,参数中存在@EncryptFild修饰的加密字段,则进行加密* 当前只适配非嵌套对象参数,List参数,普通String参数*/ @Slf4j @Aspect @Component public class EncryptAspect {@Pointcut("@annotation(com.example.encryption.common.anno.NeedEncrypt)")public void pointCut() {}@Around("pointCut()")public Object around(ProceedingJoinPoint joinPoint) throws Throwable {//加密return joinPoint.proceed(encrypt(joinPoint));}public Object[] encrypt(ProceedingJoinPoint joinPoint) {Object[] objects=null;try {objects = joinPoint.getArgs();if (objects.length != 0) {for (int i = 0; i < objects.length; i++) {//抛砖引玉 ,可自行扩展其他类型字段的判断if (objects[i] instanceof String) {String value = encryptValue(objects[i]);objects[i] = value;} else {encryptData(objects[i]);}}}} catch (Exception e) {e.printStackTrace();}return objects;}private void encryptData(Object obj) throws IllegalAccessException {if (Objects.isNull(obj)) {return;}if (obj instanceof ArrayList) {encryptList(obj);} else {encryptObj(obj);}}/*** 加密对象* @param obj* @throws IllegalAccessException*/private void encryptObj(Object obj) throws IllegalAccessException {if (Objects.isNull(obj)) {log.info("当前需要加密的object为null");return;}Field[] fields = obj.getClass().getDeclaredFields();for (Field field : fields) {boolean containEncryptField = field.isAnnotationPresent(EncryptField.class);if (containEncryptField) {//获取访问权field.setAccessible(true);if (field.get(obj) == null) {continue;}String value = AESUtils.encrypt(String.valueOf(field.get(obj)), AESUtils.getKey());field.set(obj, value);}}}/*** 针对list<实体来> 进行反射、解密* @param obj* @throws IllegalAccessException*/private void encryptList(Object obj) throws IllegalAccessException {List<Object> result = new ArrayList<>();if (obj instanceof ArrayList) {result.addAll((List<?>) obj);}for (Object object : result) {encryptObj(object);}obj = result;}/*** 加密单个值* @param realValue* @return*/public String encryptValue(Object realValue) {if (Objects.isNull(realValue)) {return null;}try {realValue = AESUtils.encrypt(String.valueOf(realValue), AESUtils.getKey());} catch (Exception e) {log.info("加密异常={}",e.getMessage());}return String.valueOf(realValue);} } -
DecryptAspect
/*** @author 17540* 对加了@NeedEncrypt注释的方法的参数进行扫描,参数中存在@EncryptFild修饰的加密字段,则进行加密* 当前只适配非嵌套对象参数,List参数,普通String参数*/ @Slf4j @Aspect @Component public class DecryptAspect {@Pointcut("@annotation(com.example.encryption.common.anno.NeedDecrypt)")public void pointCut() {}@Around("pointCut()")public Object around(ProceedingJoinPoint joinPoint) throws Throwable {//解密Object result = decrypt(joinPoint);return result;}public Object decrypt(ProceedingJoinPoint joinPoint) {Object result = null;try {Object obj = joinPoint.proceed();if (obj != null) {//抛砖引玉 ,可自行扩展其他类型字段的判断if (obj instanceof String) {result = decryptValue(obj);} else {result = decryptData(obj);}}} catch (Throwable e) {e.printStackTrace();}return result;}private Object decryptData(Object obj) throws IllegalAccessException {if (Objects.isNull(obj)) {return null;}if (obj instanceof ArrayList) {decryptList(obj);} else {decryptObj(obj);}return obj;}/*** 针对单个实体类进行 解密* @param obj* @throws IllegalAccessException*/private void decryptObj(Object obj) throws IllegalAccessException {Field[] fields = obj.getClass().getDeclaredFields();for (Field field : fields) {boolean hasSecureField = field.isAnnotationPresent(EncryptField.class);if (hasSecureField) {field.setAccessible(true);String realValue = (String) field.get(obj);if (Objects.isNull(realValue)) {continue;}try{String value = AESUtils.decrypt(realValue, AESUtils.getKey());field.set(obj, value);log.info("解密后={}", value);}catch (Exception e){log.error("解密{}异常=,{}",realValue, e.getMessage());}}}}/*** 针对list<实体来> 进行反射、解密* @param obj* @throws IllegalAccessException*/private void decryptList(Object obj) throws IllegalAccessException {List<Object> result = new ArrayList<>();if (obj instanceof ArrayList) {result.addAll((List<?>) obj);}for (Object object : result) {decryptObj(object);}obj = result;}public String decryptValue(Object realValue) {try {realValue = AESUtils.decrypt(String.valueOf(realValue), AESUtils.getKey());} catch (Exception e) {log.info("解密{}异常={}",realValue, e.getMessage());}return String.valueOf(realValue);} }
-
这篇关于SpringBoot项目集成数据脱敏(密码加密)功能的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
