vendredi 4 janvier 2019

Encrypting properties marked with a Custom Annotation while serializing POJOs to JSON

I am using Jackson to serialize POJOs to JSON before saving them to the database. For security reasons, I need to encrypt properties marked with the annotation, @Confidential.

  • The fields (properties) that need to be encrypted need not be top-level fields and could be deeply nested.

  • I also do not know which Java Classes are involved, so I cannot write a custom JSON Serializer in advance.

  • Omitting the confidential fields isn't an option. So @JsonIgnore, @JsonView and Property Filters are not an option.

For example, consider the following POJOs. homeAddress and age of the person need to be encrypted (they are not the top-level fields of the Neighborhood class).

@Serializable 
private class Neighborhood {
   private String name;
   private Collection<Person> people;
}

@Serializable
public class Person {
   private String name;

   @Confidential
   private int age;

   @Confidential
   private Address homeAddress;
}

@Serializable
public class Address {
   private String streetAddress;
   private String city;
   private String state;
   private int zip;
}

I am thinking of writing an annotation processor that creates a field registry. The registry will be created using reflection and will walk all classes marked with @Serializable annotation. The registry will have information about which fields need to be encrypted and which need not.

Now, after the Neighborhood POJO is serialized to JSON, I should be able to walk to the JSON and look up the fields in the field registry and do the needful. However, I do not know what to do if the properties are collections (i.e. Lists and Maps) and the generic type information is lost.

Questions:

  • Is there a better and simpler approach than the one that I described? If yes, what's that approach?

  • If there isn't a better approach, how do I process collections (lists and maps).

This question is not same as Customize Jackson ObjectMapper to Read custom Annotation and mask fields annotated

Here are the reason's why:

  • We do not know which classes and fields will be annotated with the @Confidential annotation. So not sure how I can generate all needed custom serializers on the fly and register them with a SerializationModule in Jackson's ObjectMapper.
  • The generated Serializer should know how to handle both encrypted and non-encrypted fields.
  • Not sure how I will inject the Encryption Client in to the Serializer.




Aucun commentaire:

Enregistrer un commentaire