Preface:
Use database views, dynamic query web interface desensitization when sensitive information.
Target: an interface for the user information query interface, the user returns to sensitive information (id, name, phone number [sensitive], ID number [sensitive]), if the web user is an administrator role, the query returns user information in plain text, If the user is a general user information, the query returns the user information after desensitization.
Specific steps:
First, a new table in mysql user information, and adds several data
Second, creating the view of the table is desensitized by desensitization masking technology, phone and desensitizing field is id_card
create view user_info_view as select id,name,concat(left(phone,3),'****',right(phone,3)) as phone,concat(left(phone,4),'**************') as id_card from user_info;
Three, SpringBoot project enabled SpringSecurity, in the configuration file, add two roles admin and normal memory when a new account
package Eleven.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { . auth.inMemoryAuthentication () withUser ( . "ADMIN") password (. PasswordEncoder () encode ( "123456")) Roles ( "ADMIN." ); . auth.inMemoryAuthentication () withUser ( . "User") password (PasswordEncoder () .encode ( "123456")) Roles ( "Normal." ); } @Override protected void Configure (HttpSecurity HTTP) throws Exception { http.authorizeRequests () // define what needs to be protected URL, which need not be protected .antMatchers ( "/ the Login"). permitAll () // set that everyone can access the login page .anyRequest (). the Authenticated () // any request, after logging in .and() .(Form login (). LoginPage"/login") ; } }
Fourth, create a domain class UserInfo
package Eleven.domain; public class UserInfo { private long id; private String name; private String phone; private String id_card; public long getId() { return id; } public void setId(long id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } public String getPhone() { return phone; } public void setPhone(String phone) { this.phone = phone; } public String getId_card() { return id_card; } public void setId_card(String id_card) { this.id_card = id_card; } }
Fifth, create Mapper, an interface to access the database, two query methods, in order to distinguish the different roles of the original table or query after desensitization view
Package Eleven.mapper; Import Eleven.domain.UserInfo; Import org.apache.ibatis.annotations *. ; @Mapper public interface UserMapper { // The user name query, the original table, sensitive information in plain text @Select ( "select * WHERE name = # USER_INFO from {name} " ) the UserInfo the findByName (String name); // the user name query, the query table view desensitization, desensitization of sensitive information display @Select (" select * from user_info_view where name = # name} { " ) the UserInfo findByNameSec (String name); }
Six Impl files and create Service
package Eleven.service; import Eleven.domain.UserInfo; public interface UserService { public UserInfo find(String name); public UserInfo findSec(String name); }
package Eleven.impl; import Eleven.domain.UserInfo; import Eleven.mapper.UserMapper; import Eleven.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; @Service public class UserServiceImpl implements UserService { @Autowired private UserMapper userMapper; @Override public UserInfo find(String name){ return userMapper.findByName(name); } public UserInfo findSec(String name){ return userMapper.findByNameSec(name); } }
Seven, to create a controller file that request Get in, get logged-on user roles, different roles in different functions Service call, ultimately execute SQL queries in the original database table admin users, ordinary users to run SQL in view of the desensitization Inquire
package Eleven.controller; import Eleven.domain.User; import Eleven.domain.UserInfo; import Eleven.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class UserController { @Autowired private UserService userService; @GetMapping ( "/ findByName" ) public Object findByName (String name) { / ** * Gets logged-on user roles, different roles in different functions Service call eventually perform different Sql queries * / Authentication auth = SecurityContextHolder.getContext ( ) .getAuthentication (); IF (auth.getAuthorities () toString () the equals ( "[ROLE_ADMIN].". )) { the UserInfo the userInfo = userService.find (name); return the userInfo; } the else IF (auth.getAuthorities () .toString (). the equals ( "[ROLE_normal]" )) { the UserInfo the userInfo = userService.findSec(name); return userInfo; } else { return auth.getAuthorities().toString(); } } }
Eight, testing and certification
1, access SpringBoot WEB, enter the login page
2, after the user logs in using the admin, user access to information query interface as shown below, returns user information in plain text
3, an ordinary user using the user login access, as shown, the user information is returned after desensitization
Use database technology to achieve dynamic view of desensitization for web application, for production environments, users can return query results before and after the role of desensitization. But all sensitive data tables are required to generate views, extra storage space occupied by the database; In order to achieve the goal, developers require additional development effort.