序列化和反序列化(五)——敏感字段加密

       情景:服务器端给客户端发送序列化对象数据,对象中有一些数据是敏感的,比如密码字符串等,希望对该密码字段在序列化时,进行加密,而客户端如果拥有解密的密钥,只有在客户端进行反序列化时,才可以对密码进行读取,这样可以一定程度保证序列化对象的数据安全。

       解决:在序列化过程中,虚拟机会试图调用对象类里的 writeObject readObject 方法,进行用户自定义的序列化和反序列化,如果没有这两个方法,则默认调用ObjectOutputStream defaultWriteObject 方法以及 ObjectInputStream defaultReadObject 方法。通过在序列化对象类定义 writeObject ,在反序列化对象类定义readObject 方法可以控制序列化和反序列化过程,比如在序列化和反序列化过程中动态改变序列化的数值。基于这个原理即可实现敏感字段加密与解密工作,如下代码:

       venus工程:

              加密工具类:

import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
 
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.IvParameterSpec;
 
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
 
/**
 * 加密/解密工具
 * 
 * @author GaoHuanjie
 */
public class EncryptUtil {
 
	private Key key;
	private String charset = "utf-8";
	private AlgorithmParameterSpec iv;// 加密算法的参数接口
	private final byte[] DESIV = { 0x12, 0x34, 0x56, 120, (byte) 0x90, (byte) 0xab, (byte) 0xcd, (byte) 0xef };// 向量
	
	/**
	 * 初始化
	 * 
	 * @author GaoHuanjie
	 */
	public EncryptUtil(String key) throws Exception {
		iv = new IvParameterSpec(DESIV);// 设置向量
		DESKeySpec desKeySpec = new DESKeySpec(key.getBytes(charset));// 设置密钥参数
		SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");// 获得密钥工厂
		this.key = keyFactory.generateSecret(desKeySpec);// 得到密钥对象
	}
	
	/**
	 * 加密
	 * 
	 * @author GaoHuanjie
	 */
	public String encode(String data) throws Exception {
		Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");// 得到加密对象Cipher
		cipher.init(Cipher.ENCRYPT_MODE, key, iv);// 设置工作模式为加密模式,给出密钥和向量
		byte[] pasByte = cipher.doFinal(data.getBytes(charset));
		BASE64Encoder base64Encoder = new BASE64Encoder();
		return base64Encoder.encode(pasByte);
	}
	
	/**
	 * 解密
	 * 
	 * @author GaoHuanjie
	 */
	public String decode(String data) throws Exception {
		Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
		cipher.init(Cipher.DECRYPT_MODE, key, iv);
		BASE64Decoder base64Decoder = new BASE64Decoder();
		byte[] pasByte = cipher.doFinal(base64Decoder.decodeBuffer(data));
		return new String(pasByte, charset);
	}
}

              UserInfo

import java.io.ObjectOutputStream;
import java.io.ObjectOutputStream.PutField;
import java.io.Serializable;

public class UserInfo implements Serializable {
	
	private String password;
	private static final String KEY = "12345678";
	private static final long serialVersionUID = 1L;

	public String getPassword() {
		return password;
	}

	public void setPassword(String password) {
		this.password = password;
	}

	private void writeObject(ObjectOutputStream out) {
		try {
			PutField putFields = out.putFields();
			System.out.println("加密前:" + password);
			password = new EncryptUtil(KEY).encode(password);// 加密
			System.out.println("加密后:" + password);
			putFields.put("password", password);
			out.writeFields();
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

              Test类(序列化)

import java.io.*;

public class Test {

	public static void main(String[] args) throws Exception {
		UserInfo userInfo = new UserInfo();
		userInfo.setPassword("gaohuanjie");
		ObjectOutput objectOutput = null;
		try {
			objectOutput = new ObjectOutputStream(new FileOutputStream("D:\\user_info.ser"));
			objectOutput.writeObject(userInfo);
			objectOutput.flush();
		} catch (IOException e) {
			e.printStackTrace();
		} finally {
			if (objectOutput != null) {
				try {
					objectOutput.close();
				} catch (IOException e) {
					e.printStackTrace();
				}
			}
		}
	}
}

       sirius工程:

              加密工具类:(同venus工程)

              UserInfo类:

import java.io.ObjectInputStream;
import java.io.ObjectInputStream.GetField;
import java.io.Serializable;

public class UserInfo implements Serializable {

	private String password;
	private static final String KEY = "12345678";
	private static final long serialVersionUID = 1L;

	public String getPassword() {
		return password;
	}

	public void setPassword(String password) {
		this.password = password;
	}

	private void readObject(ObjectInputStream in) {
		try {
			GetField readFields = in.readFields();
			password = (String) readFields.get("password", "");
			System.err.println("解密前:" + password);
			password = new EncryptUtil(KEY).decode(password);// 解密
			System.err.println("解密后:" + this.password);
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

              Test类(反序列化)

import java.io.FileInputStream;
import java.io.IOException;
import java.io.ObjectInput;
import java.io.ObjectInputStream;

public class Test {

	public static void main(String[] args) throws Exception {
		ObjectInput objectInput = null;
		try {
			objectInput = new ObjectInputStream(new FileInputStream("D:\\user_info.ser"));
			UserInfo userInfo = (UserInfo) objectInput.readObject();
			System.out.println(userInfo);
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			if (objectInput!=null) {
				try {
					objectInput.close();
				} catch (IOException e) {
					e.printStackTrace();
				} 
			}
		}
	}
}

 

发布了327 篇原创文章 · 获赞 571 · 访问量 164万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 书香水墨 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览