I am using Jackson to serialize POJOs to JSON before saving them to the database. For security reasons, I need to encrypt properties marked with the annotation, @Confidential.
-
The fields (properties) that need to be encrypted need not be top-level fields and could be deeply nested.
-
I also do not know which Java Classes are involved, so I cannot write a custom JSON Serializer in advance.
-
Omitting the confidential fields isn't an option. So @JsonIgnore, @JsonView and Property Filters are not an option.
For example, consider the following POJOs. homeAddress and age of the person need to be encrypted (they are not the top-level fields of the Neighborhood class).
@Serializable
private class Neighborhood {
private String name;
private Collection<Person> people;
}
@Serializable
public class Person {
private String name;
@Confidential
private int age;
@Confidential
private Address homeAddress;
}
@Serializable
public class Address {
private String streetAddress;
private String city;
private String state;
private int zip;
}
I am thinking of writing an annotation processor that creates a field registry. The registry will be created using reflection and will walk all classes marked with @Serializable annotation. The registry will have information about which fields need to be encrypted and which need not.
Now, after the Neighborhood POJO is serialized to JSON, I should be able to walk to the JSON and look up the fields in the field registry and do the needful. However, I do not know what to do if the properties are collections (i.e. Lists and Maps) and the generic type information is lost.
Questions:
-
Is there a better and simpler approach than the one that I described? If yes, what's that approach?
-
If there isn't a better approach, how do I process collections (lists and maps).
This question is not same as Customize Jackson ObjectMapper to Read custom Annotation and mask fields annotated
Here are the reason's why:
- We do not know which classes and fields will be annotated with the @Confidential annotation. So not sure how I can generate all needed custom serializers on the fly and register them with a SerializationModule in Jackson's ObjectMapper.
- The generated Serializer should know how to handle both encrypted and non-encrypted fields.
- Not sure how I will inject the Encryption Client in to the Serializer.
Aucun commentaire:
Enregistrer un commentaire