Springboot 數據安全傳輸加密與解密
作者:FastCoder
通過繼承RequestBodyAdviceAdapter實現對于請求的內容進行解密操作,實現ResponseBodyAdvice來對相應內容進行加密處理。
環境:springboot2.2.6.RELEASE、Vue+axios
通過繼承RequestBodyAdviceAdapter實現對于請求的內容進行解密操作,實現ResponseBodyAdvice來對相應內容進行加密處理。
定義加密解密的接口:
SecretProcess.java
- public interface SecretProcess {
- /**
- * <p>數據加密</p>
- * <p>時間:2020年12月24日-下午12:22:13</p>
- * @author xg
- * @param data 待加密數據
- * @return String 加密結果
- */
- String encrypt(String data) ;
- /**
- * <p>數據解密</p>
- * <p>時間:2020年12月24日-下午12:23:20</p>
- * @author xg
- * @param data 待解密數據
- * @return String 解密后的數據
- */
- String decrypt(String data) ;
- /**
- * <p>加密算法格式:算法[/模式/填充]</p>
- * <p>時間:2020年12月24日-下午12:32:49</p>
- * @author xg
- * @return String
- */
- String getAlgorithm() ;
- public static class Hex {
- private static final char[] HEX = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
- 'a', 'b', 'c', 'd', 'e', 'f' };
- public static byte[] decode(CharSequence s) {
- int nChars = s.length();
- if (nChars % 2 != 0) {
- throw new IllegalArgumentException("16進制數據錯誤");
- }
- byte[] result = new byte[nChars / 2];
- for (int i = 0; i < nChars; i += 2) {
- int msb = Character.digit(s.charAt(i), 16);
- int lsb = Character.digit(s.charAt(i + 1), 16);
- if (msb < 0 || lsb < 0) {
- throw new IllegalArgumentException(
- "Detected a Non-hex character at " + (i + 1) + " or " + (i + 2) + " position");
- }
- result[i / 2] = (byte) ((msb << 4) | lsb);
- }
- return result;
- }
- public static String encode(byte[] buf) {
- StringBuilder sb = new StringBuilder() ;
- for (int i = 0, leng = buf.length; i < leng; i++) {
- sb.append(HEX[(buf[i] & 0xF0) >>> 4]).append(HEX[buf[i] & 0x0F]) ;
- }
- return sb.toString() ;
- }
- }
- }
該接口中定義了兩個方法分別是加密與解密的方法,還有Hex類 該類用來對數據處理16進制的轉換。
定義一個抽象類實現上面的接口,具體的加解密實現細節在該抽象類中
AbstractSecretProcess.java
- public abstract class AbstractSecretProcess implements SecretProcess {
- @Resource
- private SecretProperties props ;
- @Override
- public String decrypt(String data) {
- try {
- Cipher cipher = Cipher.getInstance(getAlgorithm()) ;
- cipher.init(Cipher.DECRYPT_MODE, keySpec()) ;
- byte[] decryptBytes = cipher.doFinal(Hex.decode(data)) ;
- return new String(decryptBytes) ;
- } catch (Exception e) {
- throw new RuntimeException(e) ;
- }
- }
- @Override
- public String encrypt(String data) {
- try {
- Cipher cipher = Cipher.getInstance(getAlgorithm()) ;
- cipher.init(Cipher.ENCRYPT_MODE, keySpec()) ;
- return Hex.encode(cipher.doFinal(data.getBytes(Charset.forName("UTF-8")))) ;
- } catch (Exception e) {
- throw new RuntimeException(e) ;
- }
- }
- /**
- * <p>根據密鑰生成不同的密鑰材料</p>
- * <p>目前支持:AES, DES</p>
- * <p>時間:2020年12月25日-下午1:02:54</p>
- * @author xg
- * @param secretKey 密鑰
- * @param algorithm 算法
- * @return Key
- */
- public Key getKeySpec(String algorithm) {
- if (algorithm == null || algorithm.trim().length() == 0) {
- return null ;
- }
- String secretKey = props.getKey() ;
- switch (algorithm.toUpperCase()) {
- case "AES":
- return new SecretKeySpec(secretKey.getBytes(), "AES") ;
- case "DES":
- Key key = null ;
- try {
- DESKeySpec desKeySpec = new DESKeySpec(secretKey.getBytes()) ;
- SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("DES") ;
- key = secretKeyFactory.generateSecret(desKeySpec);
- } catch (Exception e) {
- throw new RuntimeException(e) ;
- }
- return key ;
- default:
- return null ;
- }
- }
- /**
- * <p>生成密鑰材料</p>
- * <p>時間:2020年12月25日-上午11:35:03</p>
- * @author xg
- * @return Key 密鑰材料
- */
- public abstract Key keySpec() ;
- }
該抽象類中提供了2中對稱加密的密鑰還原,分表是AES和DES算法。一個抽象方法,該抽象方法
keySpec該方法需要子類實現(具體使用的是哪種對稱加密算法)。
具體加密算法的實現類
AESAlgorithm.java
- public class AESAlgorithm extends AbstractSecretProcess {
- @Override
- public String getAlgorithm() {
- return "AES/ECB/PKCS5Padding";
- }
- @Override
- public Key keySpec() {
- return this.getKeySpec("AES") ;
- }
- }
SecretProperties.java 屬性配置類
- @Configuration
- public class SecretConfig {
- @Bean
- @ConditionalOnMissingBean(SecretProcess.class)
- public SecretProcess secretProcess() {
- return new AESAlgorithm() ;
- }
- @Component
- @ConfigurationProperties(prefix = "secret")
- public static class SecretProperties {
- private Boolean enabled ;
- private String key ;
- public Boolean getEnabled() {
- return enabled;
- }
- public void setEnabled(Boolean enabled) {
- this.enabled = enabled;
- }
- public String getKey() {
- return key;
- }
- public void setKey(String key) {
- this.key = key;
- }
- }
- }
配置文件中如下配置:
- secret:
- key: aaaabbbbccccdddd #密鑰
- enabled: true #是否開啟加解密功能
在項目中可能不是所有的方法都要進行數據的加密解密出來,所以接下來定義一個注解,只有添加有該注解的Controller類或是具體接口方法才進行數據的加密解密,如下:
SIProtection.java
- @Target({ElementType.METHOD, ElementType.TYPE})
- @Retention(RetentionPolicy.RUNTIME)
- @Mapping
- @Documented
- public @interface SIProtection {
- }
對請求內容進行解密出來,通過RequestBodyAdvice
DecryptRequestBodyAdivce.java
- @ControllerAdvice
- @ConditionalOnProperty(name = "secret.enabled", havingValue = "true")
- public class DecryptRequestBodyAdivce extends RequestBodyAdviceAdapter {
- @Resource
- private SecretProcess secretProcess ;
- @Override
- public boolean supports(MethodParameter methodParameter, Type targetType,
- Class<? extends HttpMessageConverter<?>> converterType) {
- return methodParameter.getMethod().isAnnotationPresent(SIProtection.class)
- || methodParameter.getMethod().getDeclaringClass().isAnnotationPresent(SIProtection.class) ;
- }
- @Override
- public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType,
- Class<? extends HttpMessageConverter<?>> converterType) throws IOException {
- String body = secretProcess.decrypt(inToString(inputMessage.getBody())) ;
- return new HttpInputMessage() {
- @Override
- public HttpHeaders getHeaders() {
- return inputMessage.getHeaders();
- }
- @Override
- public InputStream getBody() throws IOException {
- return new ByteArrayInputStream(body.getBytes()) ;
- }
- } ;
- }
- private String inToString(InputStream is) {
- byte[] buf = new byte[10 * 1024] ;
- int leng = -1 ;
- StringBuilder sb = new StringBuilder() ;
- try {
- while ((leng = is.read(buf)) != -1) {
- sb.append(new String(buf, 0, leng)) ;
- }
- return sb.toString() ;
- } catch (IOException e) {
- throw new RuntimeException(e) ;
- }
- }
- }
注意這里的:@ConditionalOnProperty(name = "secret.enabled", havingValue = "true")注解,只有開啟了加解密功能才會生效。注意這里的supports方法
對響應內容加密出來
EncryptResponseBodyAdivce.java
- @ControllerAdvice
- @ConditionalOnProperty(name = "secret.enabled", havingValue = "true")
- public class EncryptResponseBodyAdivce implements ResponseBodyAdvice<Object> {
- @Resource
- private SecretProcess secretProcess ;
- @Override
- public boolean supports(MethodParameter returnType, Class<? extends HttpMessageConverter<?>> converterType) {
- return returnType.getMethod().isAnnotationPresent(SIProtection.class)
- || returnType.getMethod().getDeclaringClass().isAnnotationPresent(SIProtection.class) ;
- }
- @Override
- public Object beforeBodyWrite(Object body, MethodParameter returnType, MediaType selectedContentType,
- Class<? extends HttpMessageConverter<?>> selectedConverterType, ServerHttpRequest request,
- ServerHttpResponse response) {
- if (body == null) {
- return body ;
- }
- try {
- String jsonStr = new ObjectMapper().writeValueAsString(body) ;
- return secretProcess.encrypt(jsonStr) ;
- } catch (Exception e) {
- throw new RuntimeException(e) ;
- }
- }
- }
Controller應用
- @PostMapping("/save")
- @SIProtection
- public R save(@RequestBody Users users) {
- return R.success(usersService.save(users)) ;
- } // 這對具體方法進行加解密
- @RestController
- @RequestMapping("/users")
- @SIProtection
- public class UsersController { // 對該Controller中的所有方法進行加解密處理
- }
前端
引入第三方插件:crypto-js
工具方法加解密:
- /**
- * 加密方法
- * @param data 待加密數據
- * @returns {string|*}
- */
- encrypt (data) {
- let key = CryptoJS.enc.Utf8.parse(Consts.Secret.key)
- if (typeof data === 'object') {
- data = JSON.stringify(data)
- }
- let plainText = CryptoJS.enc.Utf8.parse(data)
- let secretText = CryptoJS.AES.encrypt(plainText, key, {mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7}).ciphertext.toString()
- return secretText
- },
- /**
- * 解密數據
- * @param data 待解密數據
- */
- decrypt (data) {
- let key = CryptoJS.enc.Utf8.parse(Consts.Secret.key)
- let secretText = CryptoJS.enc.Hex.parse(data)
- let encryptedBase64Str = CryptoJS.enc.Base64.stringify(secretText)
- let result = CryptoJS.AES.decrypt(encryptedBase64Str, key, {mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7}).toString(CryptoJS.enc.Utf8)
- return JSON.parse(result)
- }
配置:
- let Consts = {
- Secret: {
- key: 'aaaabbbbccccdddd', // 必須16位(前后端要一致,密鑰)
- urls: ['/users/save']
- }
- }
- export default Consts
這里的urls表示對那些請求進行攔截出來(加解密),這里也可以配置 "*" 表示對所有的請求出來。
axios請求前和響應后對數據進行加解密出來:
發送請求前:
- axios.interceptors.request.use((config) => {
- let uri = config.url
- if (uri.includes('?')) {
- uri = uri.substring(0, uri.indexOf('?'))
- }
- if (window.cfg.enableSecret === '1' && config.data && (Consts.Secret.urls.indexOf('*') > -1 || Consts.Secret.urls.indexOf(uri) > -1)) {
- let data = config.data
- let secretText = Utils.Secret.encrypt(data)
- config.data = secretText
- }
- return config
- }, (error) => {
- let errorMessage = '請求失敗'
- store.dispatch(types.G_SHOW_ALERT, {title: '請求失敗', content: errorMessage, showDetail: false, detailContent: String(error)})
- return Promise.reject(error)
- })
- axios.interceptors.response.use((response) => {
- let uri = response.config.url
- if (uri.includes('?')) {
- uri = uri.substring(0, uri.indexOf('?'))
- }
- if (window.cfg.enableSecret === '1' && response.data && (Consts.Secret.urls.indexOf('*') > -1 || Consts.Secret.urls.indexOf(uri) > -1)) {
- let data = Utils.Secret.decrypt(response.data)
- if (data) {
- response.data = data
- }
- }
- return response
- }, (error) => {
- console.error(`test interceptors.response is in, ${error}`)
- return Promise.reject(error)
- })
這里的 window.cfg.enableSecret 配置是我自己項目中有個配置文件配置是否開啟,這個大家可以根據自己的環境來實現。
測試:
這里可以看到前端發起的請求內容已經被加密了
響應內容:
完畢!!!
責任編輯:姜華
來源:
今日頭條
