背景

最近项目涉及到用户隐私敏感信息（比如：身份证，手机号），防止敏感信息泄露，进行了脱敏处理。

方案调研

1. 基于JSON过滤器对响应体脱敏

2. 基于Mybatis拦截器对查询出数据进行脱敏

优缺点

第2种非常简单粗暴脱敏，比如：app展示联系方式，点击跳到拨打电话界面，显示不行了。最终决定采用第1种方案。

实现原理（基于fastjson的ValueFilter）

1. 脱敏函数接口

public interface Desensitizer extends Function<String, String> {
}

2. 脱敏函数策略

public enum SensitiveStrategy {

    /**
     * Username sensitive strategy.
     */
    USERNAME(s -> s.replaceAll("(\\S)\\S(\\S*)", "$1*$2")),
    /**
     * Id card sensitive type.
     */
    ID_CARD(s -> s.replaceAll("(\\d{4})\\d{10}(\\w{4})", "$1****$2")),
    /**
     * Phone sensitive type.
     */
    PHONE(s -> s.replaceAll("(\\d{3})\\d{4}(\\d{4})", "$1****$2")),

    /**
     * Address sensitive type.
     */
    ADDRESS(s -> s.replaceAll("(\\S{8})\\S{4}(\\S*)\\S{4}", "$1****$2****"));


    private final Desensitizer desensitizer;

    SensitiveStrategy(Desensitizer desensitizer) {
        this.desensitizer = desensitizer;
    }

    /**
     * Gets desensitizer.
     *
     * @return the desensitizer
     */
    public Desensitizer getDesensitizer() {
        return desensitizer;
    }

}

脱敏注解

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.FIELD)
public @interface Sensitive {
    SensitiveStrategy strategy();
}

脱敏filter

@Slf4j
public class ValueDesensitizeFilter implements ValueFilter {
    @Override
    public Object process(Object object, String name, Object value) {
        if (null == value || !(value instanceof String) || ((String) value).length() == 0) {
            return value;
        }
        try {
            Field[] fields = object.getClass().getDeclaredFields();
            List<Field> fieldList = Stream.of(fields).filter(o -> o.getName().equals(name)).collect(Collectors.toList());
            if (fieldList == null || fieldList.size() <= 0) {
                return value;
            }
            Field field = fieldList.get(0);
            Sensitive sensitive;
            if (String.class != field.getType() || (sensitive = field.getAnnotation(Sensitive.class)) == null) {
                return value;
            }
            return sensitive.strategy().getDesensitizer().apply((String) value);
        } catch (Exception e) {
            log.error("ValueDesensitizeFilter field class:{},name:{},value:{}", object.getClass(), name, value);
            return value;
        }
    }
}

springboot配置

@Configuration
public class WebConfig implements WebMvcConfigurer {
    /**
     * 配置fastjson为默认JSON转换
     *
     * @return
     */
    @Bean
    public HttpMessageConverters fastJsonHttpMessageConverters() {
        // 1.定义一个converters转换消息的对象
        FastJsonHttpMessageConverter fastConverter = new FastJsonHttpMessageConverter();
        // 2.添加fastjson的配置信息，比如: 是否需要格式化返回的json数据
        FastJsonConfig fastJsonConfig = new FastJsonConfig();
        fastJsonConfig.setSerializerFeatures(SerializerFeature.PrettyFormat, SerializerFeature.DisableCircularReferenceDetect);
        fastJsonConfig.setSerializeFilters(new ValueDesensitizeFilter());//添加自己写的拦截器
        // 3.在converter中添加配置信息
        fastConverter.setFastJsonConfig(fastJsonConfig);
        // 4.将converter赋值给HttpMessageConverter
        HttpMessageConverter<?> converter = fastConverter;
        // 5.返回HttpMessageConverters对象
        return new HttpMessageConverters(converter);
    }

}