前言:因公司需求需要把某些实体类的某些字段值进行加密保存,在查询时解密明文输出。现记录两种方式。
一、第一种方式:
(1)使用@TableField(typeHandler = TypeHandler.class)注解自带的字段类型处理器,写一个 handle 类继承 BaseTypeHandler。本身这个是用来处理字段类型转换的,如map转list之类的,这里也可以用作值加密。
注:使用这种方式有个前提,需要在@TableName注解上加上autoResultMap = true,才能使查询生效,否则只是新增修改生效进行拦截。没看源码猜想应该是先查整个实体有没有autoResultMap = true,再逐个进行字段拦截处理优化效率。
@Data
@TableName(value = "xxx",autoResultMap = true)
public class xxx implements Serializable {
private static final long serialVersionUID = 1L;
@TableId(type = IdType.NONE, value = "id")
private String id;
@ApiModelProperty(value = "用户名")
@TableField(value = "username",typeHandler = TypeControlHandler.class)
private String username;
@ApiModelProperty(value = "手机号")
@TableField(value = "phone",typeHandler = TypeControlHandler.class)
private String phone;
}
(2)定义加解密方式-自定义(这里配合使用了mysql的AES_ENCRYPT和AES_DECRYPT函数加解密,主要是为了实现模糊查询,具体加解密方式可以自定义)
//需要导包:
//<dependency>
// <groupId>commons-codec</groupId>
// <artifactId>commons-codec</artifactId>
//</dependency>
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.codec.binary.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
@Slf4j
public class DBAesUtils {
/** AES 加解密密钥,请勿擅自修改!!! */
public static final String key = "唯一加解密密匙key-自定义";
/**
* AES 加密 使用AES-128-ECB加密模式
* @param sSrc 需要加密的字段
* @param sKey 16 位密钥
* @return
* @throws Exception
*/
public static String Encrypt(String sSrc, String sKey) {
try {
if (sKey == null) {
return null;
}
/** 判断Key是否为16位 */
if (sKey.length() != 16) {
return null;
}
byte[] raw = sKey.getBytes("utf-8");
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
/** "算法/模式/补码方式" */
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
byte[] encrypted = cipher.doFinal(sSrc.getBytes("utf-8"));
/** 此处使用BASE64做转码功能,同时能起到2次加密的作用。 */
return new Base64().encodeToString(encrypted);
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public static String Encrypt(String sSrc) {
return Encrypt(sSrc, key);
}
/**
* AES 解密 使用AES-128-ECB加密模式
* @param sSrc 需要解密的字段
* @param sKey 16 位密钥
* @return
* @throws Exception
*/
public static String Decrypt(String sSrc, String sKey) {
try {
// 判断Key是否正确
if (sKey == null) {
return null;
}
// 判断Key是否为16位
if (sKey.length() != 16) {
return null;
}
byte[] raw = sKey.getBytes("utf-8");
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, skeySpec);
/** 先用base64解密 */
byte[] encrypted1 = new Base64().decode(sSrc);
try {
byte[] original = cipher.doFinal(encrypted1);
String originalString = new String(original,"utf-8");
return originalString;
} catch (Exception e) {
System.out.println(e.toString());
return null;
}
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
public static String Decrypt(String sSrc) {
return Decrypt(sSrc, key);
}
}
(3)定义具体拦截处理实现
import org.apache.ibatis.type.BaseTypeHandler;
import org.apache.ibatis.type.JdbcType;
import java.sql.CallableStatement;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
public class TypeControlHandler extends BaseTypeHandler<String> {
@Override
public void setNonNullParameter(PreparedStatement ps, int i, String parameter, JdbcType jdbcType) throws SQLException {
ps.setString(i, DBAesUtils.Encrypt(parameter));
}
@Override
public String getNullableResult(ResultSet rs, String columnName) throws SQLException {
return DBAesUtils.Decrypt(rs.getString(columnName));
}
@Override
public String getNullableResult(ResultSet rs, int columnIndex) throws SQLException {
return DBAesUtils.Decrypt(rs.getString(columnIndex));
}
@Override
public String getNullableResult(CallableStatement cs, int columnIndex) throws SQLException {
return DBAesUtils.Decrypt(cs.getString(columnIndex));
}
}
(4)最终实现结果(有个小问题就是如果加密前字符一样,加密出来密文就是一样的)
至于加密的字段查询并没有想到好的方法,目前想到的只能不使用LambdaQueryWrapper,使用QueryWrapper写死条件进行查询,这里配合了mysql的加解密函数,其他数据库需更改加解密方式才能使用。
wrapper.like("AES_DECRYPT(FROM_BASE64(字段名),'" + key + "')", 查询值);
第二种方式(其实实现原理就是第一种方式,只不过加了相对来说更灵活的扩展):
(1)定义两个注解
/**
* 需要加解密的字段用这个注解
* @author [email protected]
* @Date 2023-05-31
*/
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.FIELD)
public @interface EncryptedColumn {
}
/**
* 需要加解密的实体类用这个注解
* @author [email protected]
* @Date 2023-05-31
*/
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
public @interface EncryptedTable {
}
(2)实现InnerInterceptor进行拦截加密操作(使用第一种方法的DBAesUtils工具类进行加密)
import cn.hutool.core.util.ReflectUtil;
import com.baomidou.mybatisplus.core.conditions.AbstractWrapper;
import com.baomidou.mybatisplus.core.conditions.update.Update;
import com.baomidou.mybatisplus.core.toolkit.Constants;
import com.baomidou.mybatisplus.extension.parser.JsqlParserSupport;
import com.baomidou.mybatisplus.extension.plugins.inner.InnerInterceptor;
import org.apache.ibatis.executor.Executor;
import org.apache.ibatis.mapping.MappedStatement;
import org.springframework.core.annotation.AnnotationUtils;
import java.lang.reflect.Field;
import java.sql.SQLException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@SuppressWarnings({
"rawtypes"})
public class EncryptInterceptor extends JsqlParserSupport implements InnerInterceptor {
/**
* 变量占位符正则
*/
private static final Pattern PARAM_PAIRS_RE = Pattern.compile("#\\{ew\\.paramNameValuePairs\\.(" + Constants.WRAPPER_PARAM + "\\d+)\\}");
@Override
public void beforeUpdate(Executor executor, MappedStatement mappedStatement, Object parameterObject) throws SQLException {
if (Objects.isNull(parameterObject)) {
return;
}
// 通过MybatisPlus自带API(save、insert等)新增数据库时
if (!(parameterObject instanceof Map)) {
if (needToDecrypt(parameterObject.getClass())) {
encryptEntity(parameterObject);
}
return;
}
Map paramMap = (Map) parameterObject;
Object param;
// 通过MybatisPlus自带API(update、updateById等)修改数据库时
if (paramMap.containsKey(Constants.ENTITY) && null != (param = paramMap.get(Constants.ENTITY))) {
if (needToDecrypt(param.getClass())) {
encryptEntity(param);
}
return;
}
// 通过在mapper.xml中自定义API修改数据库时
if (paramMap.containsKey("entity") && null != (param = paramMap.get("entity"))) {
if (needToDecrypt(param.getClass())) {
encryptEntity(param);
}
return;
}
// 通过UpdateWrapper、LambdaUpdateWrapper修改数据库时
if (paramMap.containsKey(Constants.WRAPPER) && null != (param = paramMap.get(Constants.WRAPPER))) {
if (param instanceof Update && param instanceof AbstractWrapper) {
Class<?> entityClass = mappedStatement.getParameterMap().getType();
if (needToDecrypt(entityClass)) {
encryptWrapper(entityClass, param);
}
}
return;
}
}
/**
* 校验该实例的类是否被@EncryptedTable所注解
*/
private boolean needToDecrypt(Class<?> objectClass) {
try {
EncryptedTable sensitiveData = AnnotationUtils.findAnnotation(objectClass, EncryptedTable.class);
return Objects.nonNull(sensitiveData);
}catch (Exception ex){
return false;
}
}
/**
* 通过API(save、updateById等)修改数据库时
*
* @param parameter
*/
private void encryptEntity(Object parameter) {
//取出parameterType的类
Class<?> resultClass = parameter.getClass();
Field[] declaredFields = ReflectUtil.getFields(resultClass);
for (Field field : declaredFields) {
//取出所有被EncryptedColumn注解的字段
EncryptedColumn sensitiveField = field.getAnnotation(EncryptedColumn.class);
if (!Objects.isNull(sensitiveField)) {
field.setAccessible(true);
Object object = null;
try {
object = field.get(parameter);
} catch (IllegalAccessException e) {
continue;
}
//只支持String的解密
if (object instanceof String) {
String value = (String) object;
//对注解的字段进行逐一加密
try {
field.set(parameter, DBAesUtils.Encrypt(value));
} catch (IllegalAccessException e) {
continue;
}
}
}
}
}
/**
* 通过UpdateWrapper、LambdaUpdateWrapper修改数据库时
*
* @param entityClass
* @param ewParam
*/
private void encryptWrapper(Class<?> entityClass, Object ewParam) {
AbstractWrapper updateWrapper = (AbstractWrapper) ewParam;
String sqlSet = updateWrapper.getSqlSet();
String[] elArr = sqlSet.split(",");
Map<String, String> propMap = new HashMap<>(elArr.length);
Arrays.stream(elArr).forEach(el -> {
String[] elPart = el.split("=");
propMap.put(elPart[0], elPart[1]);
});
//取出parameterType的类
Field[] declaredFields = ReflectUtil.getFields(entityClass);
for (Field field : declaredFields) {
//取出所有被EncryptedColumn注解的字段
EncryptedColumn sensitiveField = field.getAnnotation(EncryptedColumn.class);
if (Objects.isNull(sensitiveField)) {
continue;
}
String el = propMap.get(field.getName());
Matcher matcher = PARAM_PAIRS_RE.matcher(el);
if (matcher.matches()) {
String valueKey = matcher.group(1);
Object value = updateWrapper.getParamNameValuePairs().get(valueKey);
updateWrapper.getParamNameValuePairs().put(valueKey, DBAesUtils.Encrypt(value.toString()));
}
}
}
}
(3)实现Interceptor进行拦截解密
import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.ReflectUtil;
import cn.hutool.core.util.StrUtil;
import com.baomidou.mybatisplus.core.metadata.IPage;
import org.apache.ibatis.executor.resultset.ResultSetHandler;
import org.apache.ibatis.plugin.*;
import org.springframework.core.annotation.AnnotationUtils;
import java.lang.reflect.Field;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.Objects;
@Intercepts({
@Signature(type = ResultSetHandler.class, method = "handleResultSets", args = {
Statement.class})
})
public class DecryptInterceptor implements Interceptor {
@Override
public Object intercept(Invocation invocation) throws Throwable {
Object resultObject = invocation.proceed();
if (Objects.isNull(resultObject)) {
return null;
}
if(resultObject instanceof IPage){
IPage page = (IPage) resultObject;
if(page!=null&& CollUtil.isNotEmpty(page.getRecords())){
if (needToDecrypt(page.getRecords().get(0))) {
for (Object result : page.getRecords()) {
//逐一解密
decrypt(result);
}
}
}
}
else if (resultObject instanceof ArrayList) {
//基于selectList
ArrayList resultList = (ArrayList) resultObject;
if (CollUtil.isNotEmpty(resultList) && needToDecrypt(resultList.get(0))) {
for (Object result : resultList) {
//逐一解密
decrypt(result);
}
}
} else if (needToDecrypt(resultObject)) {
//基于selectOne
decrypt(resultObject);
}
return resultObject;
}
/**
* 校验该实例的类是否被@EncryptedTable所注解
*/
private boolean needToDecrypt(Object object) {
Class<?> objectClass = object.getClass();
EncryptedTable sensitiveData = AnnotationUtils.findAnnotation(objectClass, EncryptedTable.class);
return Objects.nonNull(sensitiveData);
}
@Override
public Object plugin(Object o) {
if(o instanceof ResultSetHandler) {
return Plugin.wrap(o, this);
}else{
return o;
}
}
private <T> T decrypt(T result) throws Exception {
//取出resultType的类
Class<?> resultClass = result.getClass();
Field[] declaredFields = ReflectUtil.getFields(resultClass);
for (Field field : declaredFields) {
//取出所有被EncryptedColumn注解的字段
EncryptedColumn sensitiveField = field.getAnnotation(EncryptedColumn.class);
if (!Objects.isNull(sensitiveField)) {
field.setAccessible(true);
Object object = field.get(result);
//只支持String的解密
if (object instanceof String) {
String value = (String) object;
//对注解的字段进行逐一解密
String results = DBAesUtils.Decrypt(value);
if(StrUtil.isNotEmpty(results)){
field.set(result, results);
}else{
field.set(result, value);
}
}
}
}
return result;
}
}
注:若是作为单独的starter进行封装,此拦截器需要定义在spring.factories中
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
com.xxx.xxx.xxx.xxx.DecryptInterceptor
(4)实体类加上注解(需要@EncryptedTable和@EncryptedColumn配合使用)
@Data
@TableName(value = "xxx",autoResultMap = true)
@EncryptedTable
public class xxx implements Serializable {
private static final long serialVersionUID = 1L;
@TableId(type = IdType.NONE, value = "id")
private String id;
@ApiModelProperty(value = "用户名")
@TableField(value = "username")
@EncryptedColumn
private String username;
@ApiModelProperty(value = "手机号")
@TableField(value = "phone")
@EncryptedColumn
private String phone;
}
实现结果与第一种方式一样