版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/wangshuxuncom/article/details/89497013
情景:服务器端给客户端发送序列化对象数据,对象中有一些数据是敏感的,比如密码字符串等,希望对该密码字段在序列化时,进行加密,而客户端如果拥有解密的密钥,只有在客户端进行反序列化时,才可以对密码进行读取,这样可以一定程度保证序列化对象的数据安全。
解决:在序列化过程中,虚拟机会试图调用对象类里的 writeObject 和 readObject 方法,进行用户自定义的序列化和反序列化,如果没有这两个方法,则默认调用ObjectOutputStream 的 defaultWriteObject 方法以及 ObjectInputStream 的 defaultReadObject 方法。通过在序列化对象类定义 writeObject ,在反序列化对象类定义readObject 方法可以控制序列化和反序列化过程,比如在序列化和反序列化过程中动态改变序列化的数值。基于这个原理即可实现敏感字段加密与解密工作,如下代码:
venus工程:
加密工具类:
import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.IvParameterSpec;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
/**
* 加密/解密工具
*
* @author GaoHuanjie
*/
public class EncryptUtil {
private Key key;
private String charset = "utf-8";
private AlgorithmParameterSpec iv;// 加密算法的参数接口
private final byte[] DESIV = { 0x12, 0x34, 0x56, 120, (byte) 0x90, (byte) 0xab, (byte) 0xcd, (byte) 0xef };// 向量
/**
* 初始化
*
* @author GaoHuanjie
*/
public EncryptUtil(String key) throws Exception {
iv = new IvParameterSpec(DESIV);// 设置向量
DESKeySpec desKeySpec = new DESKeySpec(key.getBytes(charset));// 设置密钥参数
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");// 获得密钥工厂
this.key = keyFactory.generateSecret(desKeySpec);// 得到密钥对象
}
/**
* 加密
*
* @author GaoHuanjie
*/
public String encode(String data) throws Exception {
Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");// 得到加密对象Cipher
cipher.init(Cipher.ENCRYPT_MODE, key, iv);// 设置工作模式为加密模式,给出密钥和向量
byte[] pasByte = cipher.doFinal(data.getBytes(charset));
BASE64Encoder base64Encoder = new BASE64Encoder();
return base64Encoder.encode(pasByte);
}
/**
* 解密
*
* @author GaoHuanjie
*/
public String decode(String data) throws Exception {
Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, iv);
BASE64Decoder base64Decoder = new BASE64Decoder();
byte[] pasByte = cipher.doFinal(base64Decoder.decodeBuffer(data));
return new String(pasByte, charset);
}
}
UserInfo类:
import java.io.ObjectOutputStream;
import java.io.ObjectOutputStream.PutField;
import java.io.Serializable;
public class UserInfo implements Serializable {
private String password;
private static final String KEY = "12345678";
private static final long serialVersionUID = 1L;
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
private void writeObject(ObjectOutputStream out) {
try {
PutField putFields = out.putFields();
System.out.println("加密前:" + password);
password = new EncryptUtil(KEY).encode(password);// 加密
System.out.println("加密后:" + password);
putFields.put("password", password);
out.writeFields();
} catch (Exception e) {
e.printStackTrace();
}
}
}
Test类(序列化):
import java.io.*;
public class Test {
public static void main(String[] args) throws Exception {
UserInfo userInfo = new UserInfo();
userInfo.setPassword("gaohuanjie");
ObjectOutput objectOutput = null;
try {
objectOutput = new ObjectOutputStream(new FileOutputStream("D:\\user_info.ser"));
objectOutput.writeObject(userInfo);
objectOutput.flush();
} catch (IOException e) {
e.printStackTrace();
} finally {
if (objectOutput != null) {
try {
objectOutput.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
}
sirius工程:
加密工具类:(同venus工程)
UserInfo类:
import java.io.ObjectInputStream;
import java.io.ObjectInputStream.GetField;
import java.io.Serializable;
public class UserInfo implements Serializable {
private String password;
private static final String KEY = "12345678";
private static final long serialVersionUID = 1L;
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
private void readObject(ObjectInputStream in) {
try {
GetField readFields = in.readFields();
password = (String) readFields.get("password", "");
System.err.println("解密前:" + password);
password = new EncryptUtil(KEY).decode(password);// 解密
System.err.println("解密后:" + this.password);
} catch (Exception e) {
e.printStackTrace();
}
}
}
Test类(反序列化):
import java.io.FileInputStream;
import java.io.IOException;
import java.io.ObjectInput;
import java.io.ObjectInputStream;
public class Test {
public static void main(String[] args) throws Exception {
ObjectInput objectInput = null;
try {
objectInput = new ObjectInputStream(new FileInputStream("D:\\user_info.ser"));
UserInfo userInfo = (UserInfo) objectInput.readObject();
System.out.println(userInfo);
} catch (Exception e) {
e.printStackTrace();
} finally {
if (objectInput!=null) {
try {
objectInput.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
}