一、什么是Mybatis Plugin

在mybatis官方文档中,对于Mybatis plugin的的介绍是这样的:

1
2
3
4
5
6
7
8
9
10
11
12
13
MyBatis 允许你在已映射语句执行过程中的某一点进行拦截调用。默认情况下,MyBatis 允许使用插件来拦截的方法调用包括:

//语句执行拦截
Executor (update, query, flushStatements, commit, rollback, getTransaction, close, isClosed)

// 参数获取、设置时进行拦截
ParameterHandler (getParameterObject, setParameters)

// 对返回结果进行拦截
ResultSetHandler (handleResultSets, handleOutputParameters)

//sql语句拦截
StatementHandler (prepare, parameterize, batch, update, query)

简而言之,即在执行sql的整个周期中,我们可以任意切入到某一点对sql的参数、sql执行结果集、sql语句本身等进行切面处理。基于这个特性,我们便可以使用其对我们需要进行加密的数据进行切面统一加密处理了(分页插件 pageHelper 就是这样实现数据库分页查询的)。

二、实现基于注解的敏感信息加解密拦截器

2.1 实现思路

对于数据的加密与解密,应当存在两个拦截器对数据进行拦截操作

参照官方文档,因此此处我们应当使用ParameterHandler拦截器对入参进行加密

使用ResultSetHandler拦截器对出参进行解密操作。

mybatis的interceptor接口有以下方法需要实现。

1
2
3
4
5
6
7
8
9
10
11
12
public interface Interceptor {
 
  //主要参数拦截方法
  Object intercept(Invocation invocation) throws Throwable;
 
  //mybatis插件链
  default Object plugin(Object target) {return Plugin.wrap(target, this);}
 
  //自定义插件配置文件方法
  default void setProperties(Properties properties) {}
 
}

2.2 定义需要加密解密的敏感信息注解

定义注解敏感信息类的注解

1
2
3
4
5
6
7
8
9
10
11
import java.lang.annotation.*;

/**
 * 注解敏感信息类的注解
 * @author shuzhuo
 */
@Inherited
@Target({ ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
public @interface SensitiveData {
}

定义注解敏感信息类中敏感字段的注解

1
2
3
4
5
6
7
8
9
10
11
import java.lang.annotation.*;

/**
 * 注解敏感信息类中敏感字段的注解
 * @author shuzhuo
 */
@Inherited
@Target({ ElementType.FIELD })
@Retention(RetentionPolicy.RUNTIME)
public @interface SensitiveField {
}

2.3 定义加密接口及其实现类

定义加密接口,方便以后拓展加密方法(如AES加密算法拓展支持PBE算法,只需要注入时指定一下便可)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import java.lang.reflect.Field;

/**
 * @author shuzhuo
 */
public interface EncryptUtil {

    /**
     * 加密
     *
     * @param declaredFields paramsObject所声明的字段
     * @param paramsObject   mapper中paramsType的实例
     * @return T
     * @throws IllegalAccessException 字段不可访问异常
     */
    <T> T encrypt(Field[] declaredFields, T paramsObject) throws IllegalAccessException;
}

EncryptUtil 的AES加密实现类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import cn.hutool.crypto.symmetric.SymmetricAlgorithm;
import cn.hutool.crypto.symmetric.SymmetricCrypto;
import com.example.demospringboot.mybaits.annotation.SensitiveField;
import org.springframework.stereotype.Component;

import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.util.Objects;

/**
 * @author shuzhuo
 */
@Component
public class AESEncrypt implements EncryptUtil {


    private  static  final String keyString ="IaMcazxF5NR1hqZeKdetJQ==";
    private  static  final SymmetricCrypto aes = new SymmetricCrypto(SymmetricAlgorithm.AES, keyString.getBytes(StandardCharsets.UTF_8));


    /**
     * 加密
     *
     * @param declaredFields paramsObject所声明的字段
     * @param paramsObject   mapper中paramsType的实例
     * @return T
     * @throws IllegalAccessException 字段不可访问异常
     */
    @Override
    public <T> T encrypt(Field[] declaredFields, T paramsObject) throws IllegalAccessException {
        for (Field field : declaredFields) {
            //取出所有被EncryptDecryptField注解的字段
            SensitiveField sensitiveField = field.getAnnotation(SensitiveField.class);
            if (!Objects.isNull(sensitiveField)) {
                field.setAccessible(true);
                Object object = field.get(paramsObject);
                //暂时只实现String类型的加密
                if (object instanceof String) {
                    String value = (String) object;
                    //加密  这里我使用自定义的AES加密工具
                    String s1 = aes.encryptBase64(value);
                    field.set(paramsObject, s1);
                }
            }
        }
        return paramsObject;
    }
}

2.4 实现入参加密拦截器

Myabtis包中的org.apache.ibatis.plugin.Interceptor拦截器接口要求我们实现以下三个方法

1
2
3
4
5
6
7
8
9
10
11
12
public interface Interceptor {
 
  //核心拦截逻辑
  Object intercept(Invocation invocation) throws Throwable;
  
  //拦截器链
  default Object plugin(Object target) {return Plugin.wrap(target, this);}
 
  //自定义配置文件操作
  default void setProperties(Properties properties) { }
 
}

因此,参考官方文档的示例,我们自定义一个入参加密拦截器。

1
2
3
4
5
6
@Intercepts 注解开启拦截器,@Signature 注解定义拦截器的实际类型。

@Signature中
    type 属性指定当前拦截器使用StatementHandler 、ResultSetHandler、ParameterHandler,Executor的一种
    method 属性指定使用以上四种类型的具体方法(可进入class内部查看其方法)。
    args 属性指定这个方法的参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import com.example.demospringboot.mybaits.annotation.SensitiveData;
import lombok.extern.slf4j.Slf4j;
import org.apache.ibatis.executor.parameter.ParameterHandler;
import org.apache.ibatis.plugin.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.stereotype.Component;

import java.lang.reflect.Field;
import java.sql.PreparedStatement;
import java.util.Objects;
import java.util.Properties;

/**
 * 加密拦截器
 * 注意@Component注解一定要加上
 *
 * @author shuzhuo
 */
@Slf4j
@Component
@Intercepts({
        @Signature(type = ParameterHandler.class, method = "setParameters", args = PreparedStatement.class),
})
public class EncryptInterceptor implements Interceptor {

    private final EncryptUtil encryptUtil;

    @Autowired
    public EncryptInterceptor(EncryptUtil encryptUtil) {
        this.encryptUtil = encryptUtil;
    }


    @Override
    public Object intercept(Invocation invocation) throws Throwable {
        //@Signature 指定了 type= parameterHandler 后,这里的 invocation.getTarget() 便是parameterHandler 
        //若指定ResultSetHandler ,这里则能强转为ResultSetHandler
        ParameterHandler parameterHandler = (ParameterHandler) invocation.getTarget();
        // 获取参数对像,即 mapper 中 paramsType 的实例
        Field parameterField = parameterHandler.getClass().getDeclaredField("parameterObject");
        parameterField.setAccessible(true);
        //取出实例
        Object parameterObject = parameterField.get(parameterHandler);
        if (parameterObject != null) {
            Class<?> parameterObjectClass = parameterObject.getClass();
            //校验该实例的类是否被@SensitiveData所注解
            SensitiveData sensitiveData = AnnotationUtils.findAnnotation(parameterObjectClass, SensitiveData.class);
            if (Objects.nonNull(sensitiveData)) {
                //取出当前当前类所有字段,传入加密方法
                Field[] declaredFields = parameterObjectClass.getDeclaredFields();
                encryptUtil.encrypt(declaredFields, parameterObject);
            }
        }
        return invocation.proceed();
    }

    /**
     * 切记配置,否则当前拦截器不会加入拦截器链
     */
    @Override
    public Object plugin(Object o) {
        return Plugin.wrap(o, this);
    }

    //自定义配置写入,没有自定义配置的可以直接置空此方法
    @Override
    public void setProperties(Properties properties) {
    }
}

自定义加密拦截加密完成

2.5 定义解密接口及其实现类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/**
 * @author shuzhuo
 */
public interface DecryptUtil {

    /**
     * 解密
     *
     * @param result resultType的实例
     * @return T
     * @throws IllegalAccessException 字段不可访问异常
     */
    <T> T decrypt(T result) throws IllegalAccessException;

}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import cn.hutool.crypto.symmetric.SymmetricAlgorithm;
import cn.hutool.crypto.symmetric.SymmetricCrypto;
import com.example.demospringboot.mybaits.annotation.SensitiveField;
import org.springframework.stereotype.Component;

import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.util.Objects;

/**
 * @author shuzhuo
 */
@Component
public class AESDecrypt implements DecryptUtil {

    private static final String keyString = "IaMcazxF5NR1hqZeKdetJQ==";
    private static final SymmetricCrypto aes = new SymmetricCrypto(SymmetricAlgorithm.AES, keyString.getBytes(StandardCharsets.UTF_8));

    /**
     * 解密
     *
     * @param result resultType的实例
     * @return T
     * @throws IllegalAccessException 字段不可访问异常
     */
    @Override
    public <T> T decrypt(T result) throws IllegalAccessException {
        //取出resultType的类
        Class<?> resultClass = result.getClass();
        Field[] declaredFields = resultClass.getDeclaredFields();
        for (Field field : declaredFields) {
            //取出所有被EncryptDecryptField注解的字段
            SensitiveField sensitiveField = field.getAnnotation(SensitiveField.class);
            if (!Objects.isNull(sensitiveField)) {
                field.setAccessible(true);
                Object object = field.get(result);
                //只支持String的解密
                if (object instanceof String) {
                    String value = (String) object;
                    //对注解的字段进行逐一解密
                    field.set(result, aes.decryptStr(value));
                }
            }
        }
        return result;
    }
}

2.6 定义出参解密拦截器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import com.example.demospringboot.mybaits.annotation.SensitiveData;
import lombok.extern.slf4j.Slf4j;
import org.apache.ibatis.executor.resultset.ResultSetHandler;
import org.apache.ibatis.plugin.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.stereotype.Component;
import org.springframework.util.CollectionUtils;

import java.sql.Statement;
import java.util.ArrayList;
import java.util.Objects;
import java.util.Properties;

/**
 * @author shuzhuo
 */
@Slf4j
@Component
@Intercepts({
        @Signature(type = ResultSetHandler.class, method = "handleResultSets", args = {Statement.class})
})
public class DecryptInterceptor implements Interceptor {

    @Autowired
    DecryptUtil aesDecrypt;

    @Override
    public Object intercept(Invocation invocation) throws Throwable {
        //取出查询的结果
        Object resultObject = invocation.proceed();
        if (Objects.isNull(resultObject)) {
            return null;
        }
        //基于selectList
        if (resultObject instanceof ArrayList) {
            ArrayList resultList = (ArrayList) resultObject;
            if (!CollectionUtils.isEmpty(resultList) && needToDecrypt(resultList.get(0))) {
                for (Object result : resultList) {
                    //逐一解密
                    try {
                        aesDecrypt.decrypt(result);
                    } catch (Exception e) {
                        e.printStackTrace();
                    }

                }
            }
            //基于selectOne
        } else {
            if (needToDecrypt(resultObject)) {
                aesDecrypt.decrypt(resultObject);
            }
        }
        return resultObject;
    }

    private boolean needToDecrypt(Object object) {
        Class<?> objectClass = object.getClass();
        SensitiveData sensitiveData = AnnotationUtils.findAnnotation(objectClass, SensitiveData.class);
        return Objects.nonNull(sensitiveData);
    }


    @Override
    public Object plugin(Object target) {
        return Plugin.wrap(target, this);
    }

    @Override
    public void setProperties(Properties properties) {

    }
}

实体类加上注解,以下只做测试

1
2
3
4
5
6
7
8
9
10
11
12
13
/**
 * @author zhuo
 */
@Data
@SensitiveData
public class SysUser implements Serializable {

    private static final long serialVersionUID = 4563529828771521655L;

    @ApiModelProperty("用户名")
    @SensitiveField
    private String username;
   }

单元测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import com.example.demospringboot.user.SySUserService;
import com.example.demospringboot.user.SysUser;
import org.junit.jupiter.api.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

import java.util.List;

@RunWith(SpringRunner.class)
@SpringBootTest
class DemoSpringbootApplicationTests {


    @Autowired
    SySUserService sySUserService;

    @Test
    void test01() {
        System.out.println("test01");
        SysUser sySUser = new SysUser();
        String username = "test00234"+System.nanoTime();
        System.out.println(username);
        sySUser.setUsername(username);
        boolean save = sySUserService.save(sySUser);
        System.out.println(save);

        List<SysUser> list = sySUserService.list();
        System.out.println(list);

    }

}

可以看到 插入的数据自动加密

控制台

1
2
3
4
5
6
7
8
9
10
11
12
13
test01
test00234449687591200300
2022-01-22 14:36:21.872  INFO 28144 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
2022-01-22 14:36:22.235  INFO 28144 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.
 Consume Time3 ms 2022-01-22 14:36:22
 Execute SQLINSERT INTO sys_user ( id, username ) VALUES ( '1484776935345385473', 'bcxdmWAC3TZ1YAUfEyD+iJtO1zNCMUw2iflQ0YiKv2M=' )

true
 Consume Time0 ms 2022-01-22 14:36:22
 Execute SQLSELECT id,server_path,wx_image_url,director,wx_openid,auth_time,leader_path,type,user_id,timeout,on_job,password,phone,biz_id,name,depart_id,duty_id,user_version,wx_name,email,status,username FROM sys_user

[SysUser(id=1484737253295333377, username=test00234440193730944300, userId=null, wxName=null, wxOpenid=null, wxImageUrl=null, password=$2a$10$6FFuNd6vNMAzVcHA8uXGhuf6m126Y5cRE098MV5OpTnpkJM5b6/Fq, name=null, email=null, phone=null, director=0, onJob=0, type=0, departId=null, dutyId=null, bizId=null, status=1, roleName=null, sufbId=null, serverPath=https://127.0.0.1:8443, leaderPath=null, timeout=5, userVersion=1.0, authTime=2022-01-22 11:59:37.0), SysUser(id=1484776935345385473, username=test00234449687591200300, userId=null, wxName=null, wxOpenid=null, wxImageUrl=null, password=$2a$10$6FFuNd6vNMAzVcHA8uXGhuf6m126Y5cRE098MV5OpTnpkJM5b6/Fq, name=null, email=null, phone=null, director=0, onJob=0, type=0, departId=null, dutyId=null, bizId=null, status=1, roleName=null, sufbId=null, serverPath=https://127.0.0.1:8443, leaderPath=null, timeout=5, userVersion=1.0, authTime=2022-01-22 14:36:22.0)]