Use database views to achieve WEB query interface to dynamically desensitization of sensitive information

Preface:

Use database views, dynamic query web interface desensitization when sensitive information.

Target: an interface for the user information query interface, the user returns to sensitive information (id, name, phone number [sensitive], ID number [sensitive]), if the web user is an administrator role, the query returns user information in plain text, If the user is a general user information, the query returns the user information after desensitization.

Specific steps:

First, a new table in mysql user information, and adds several data

Second, creating the view of the table is desensitized by desensitization masking technology, phone and desensitizing field is id_card

create view  user_info_view as select id,name,concat(left(phone,3),'****',right(phone,3)) as phone,concat(left(phone,4),'**************') as id_card from user_info;

 

Three, SpringBoot project enabled SpringSecurity, in the configuration file, add two roles admin and normal memory when a new account

package Eleven.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        . auth.inMemoryAuthentication () withUser ( . "ADMIN") password (. PasswordEncoder () encode ( "123456")) Roles ( "ADMIN." ); 
        . auth.inMemoryAuthentication () withUser ( . "User") password (PasswordEncoder () .encode ( "123456")) Roles ( "Normal." ); 
    } 

    @Override 
    protected  void Configure (HttpSecurity HTTP) throws Exception { 
        http.authorizeRequests () // define what needs to be protected URL, which need not be protected 
                .antMatchers ( "/ the Login"). permitAll () // set that everyone can access the login page 
                .anyRequest (). the Authenticated ()   // any request, after logging in 
                .and() 
                .(Form login (). LoginPage"/login")
        ;

    }
}

View Code

 

Fourth, create a domain class UserInfo

package Eleven.domain;

public class UserInfo {

    private long id;
    private String name;
    private String phone;
    private String id_card;

    public long getId() {
        return id;
    }

    public void setId(long id) {
        this.id = id;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getPhone() {
        return phone;
    }

    public void setPhone(String phone) {
        this.phone = phone;
    }

    public String getId_card() {
        return id_card;
    }

    public void setId_card(String id_card) {
        this.id_card = id_card;
    }
}

View Code

 

Fifth, create Mapper, an interface to access the database, two query methods, in order to distinguish the different roles of the original table or query after desensitization view

Package Eleven.mapper; 

Import Eleven.domain.UserInfo;
 Import org.apache.ibatis.annotations *. ; 


@Mapper 
public  interface UserMapper { 


    // The user name query, the original table, sensitive information in plain text 
    @Select ( "select * WHERE name = # USER_INFO from {name} " ) 
    the UserInfo the findByName (String name); 

    // the user name query, the query table view desensitization, desensitization of sensitive information display 
    @Select (" select * from user_info_view where name = # name} { " ) 
    the UserInfo findByNameSec (String name); 
}

View Code

 

Six Impl files and create Service

 

package Eleven.service;


import Eleven.domain.UserInfo;

public interface UserService {
    
    public UserInfo find(String name);

    public UserInfo findSec(String name);

}

View Code

 

package Eleven.impl;

import Eleven.domain.UserInfo;
import Eleven.mapper.UserMapper;
import Eleven.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;


@Service
public class UserServiceImpl implements UserService {
    @Autowired
    private UserMapper userMapper;


    @Override
    public  UserInfo find(String name){
        return userMapper.findByName(name);
    }

    public  UserInfo findSec(String name){
        return userMapper.findByNameSec(name);
    }
}

View Code

 

Seven, to create a controller file that request Get in, get logged-on user roles, different roles in different functions Service call, ultimately execute SQL queries in the original database table admin users, ordinary users to run SQL in view of the desensitization Inquire

 

package Eleven.controller;

import Eleven.domain.User;
import Eleven.domain.UserInfo;
import Eleven.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class UserController {
    @Autowired
    private UserService userService;

    @GetMapping ( "/ findByName" )
     public Object findByName (String name) {
         / ** 
         * Gets logged-on user roles, different roles in different functions Service call eventually perform different Sql queries 
         * / 
        Authentication auth = SecurityContextHolder.getContext ( ) .getAuthentication ();
         IF (auth.getAuthorities () toString () the equals ( "[ROLE_ADMIN].". )) { 
            the UserInfo the userInfo = userService.find (name);
             return the userInfo; 
        } 
         the else  IF (auth.getAuthorities () .toString (). the equals ( "[ROLE_normal]" )) { 
            the UserInfo the userInfo = userService.findSec(name);
            return userInfo;
        }
         else {
             return auth.getAuthorities().toString();
        }

    }

}

View Code

 

 Eight, testing and certification

1, access SpringBoot WEB, enter the login page

 

 2, after the user logs in using the admin, user access to information query interface as shown below, returns user information in plain text

3, an ordinary user using the user login access, as shown, the user information is returned after desensitization

Use database technology to achieve dynamic view of desensitization for web application, for production environments, users can return query results before and after the role of desensitization. But all sensitive data tables are required to generate views, extra storage space occupied by the database; In order to achieve the goal, developers require additional development effort.