说明:
公司之前数据接口数据管理不严格,很多接口的敏感数据都没有脱敏处理,直接返回给前端了,然后被甲方的第三方安全漏洞扫出来,老板要求紧急处理,常用的话在单个字段上加上脱敏注解会更加的灵活,但是时间有点紧,一个个返回对象的响应参数里面的单个字段处理比较耗时间
想法:
就是快!!!快速处理
利用aop注解,对返回的对象进行处理,默认一些常用的需要脱敏的字段名,比如password、mobile、idCardNo等,支持自定义对象名称列表。同时如果返回的是个列表,则需要对列表里面的值也都遍历处理。
直接在controller接口上添加注解,就能对返回的数据做全局处理,不要一个个对象里面的一个个字段进行处理。
效果
实操:
1、pom引入依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
<!-- hutool工具类 -->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.8.15</version>
</dependency>
2、自定义注解
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface SensitiveResponse {
/**
* 默认需要脱敏的字段列表
* @return 字段列表
*/
String[] value() default {"password", "mobile", "phone", "idCardNo", "email", "bankCardNo", "address"};
/**
* 默认字段上再增加的字段
* @return 字段列表
*/
String[] addValue() default {};
}
配置实现
import cn.hutool.core.util.DesensitizedUtil;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@Aspect
@Component
public class SensitiveResponseConfig {
/**
* 定义切点为注解
*/
@Pointcut("@annotation(sensitiveResponse)")
public void sensitiveResponsePointcut(SensitiveResponse sensitiveResponse) {
}
@AfterReturning(pointcut = "sensitiveResponsePointcut(sensitiveResponse)", returning = "response", argNames = "sensitiveResponse,response")
public void desensitizeResponse(SensitiveResponse sensitiveResponse, Object response) {
List<String> sensitiveFields = new ArrayList<>(Arrays.asList(sensitiveResponse.value()));
sensitiveFields.addAll(Arrays.asList(sensitiveResponse.addValue()));
if (ObjectUtils.isEmpty(sensitiveFields)) {
return;
}
if (response instanceof List) {
List<Object> dataList = (List<Object>) response;
for (Object data : dataList) {
desensitizeObjectFields(data, sensitiveFields);
}
} else {
desensitizeObjectFields(response, sensitiveFields);
}
}
private void desensitizeObjectFields(Object obj, List<String> sensitiveFields) {
Arrays.stream(obj.getClass().getDeclaredFields())
.filter(field -> sensitiveFields.contains(field.getName()))
.forEach(field -> {
field.setAccessible(true);
try {
String fieldValue = (String) field.get(obj);
if (StringUtils.isNotBlank(fieldValue)) {
String fieldName = field.getName();
String desensitizedValue = "";
switch (fieldName) {
case "mobile":
case "phone":
desensitizedValue = DesensitizedUtil.mobilePhone(fieldValue);
break;
// 身份证保留前六后三
case "idCardNo":
desensitizedValue = DesensitizedUtil.idCardNum(fieldValue, 6, 3);
break;
case "email":
desensitizedValue = DesensitizedUtil.email(fieldValue);
break;
case "address" :
desensitizedValue = DesensitizedUtil.address(fieldValue, 6);
break;
case "bankCardNo" :
desensitizedValue = DesensitizedUtil.bankCard(fieldValue);
break;
default:
// 默认按密码方式全部*号处理
desensitizedValue = DesensitizedUtil.password(fieldValue);
break;
}
field.set(obj, desensitizedValue);
}
} catch (IllegalAccessException e) {
e.printStackTrace();
}
});
// 递归处理子对象字段脱敏
Arrays.stream(obj.getClass().getDeclaredFields())
// 排除基本数据类型和Java内置类型
.filter(field -> !field.getType().isPrimitive() && !field.getType().getName().startsWith("java"))
.forEach(field -> {
field.setAccessible(true);
try {
Object fieldValue = field.get(obj);
if (fieldValue != null) {
desensitizeObjectFields(fieldValue, sensitiveFields);
}
} catch (IllegalAccessException e) {
e.printStackTrace();
}
});`
3、使用
