Enterprise Data Desensitization Solutions Using MyBatis and Fastjson

Recent data leaks have highlighted the importance of protecting user privacy, prompting enterprises to adopt both organizational controls and technical measures such as data masking to secure sensitive information like phone numbers, ID cards, and bank accounts.

Masking methods are grouped into three categories: Hiding (e.g., replacing parts of a value with asterisks), Obfuscation (randomly altering data to make it unreadable), and Encryption (using cryptographic algorithms to produce ciphertext, with symmetric encryption allowing reversible decryption).

In a typical enterprise data flow—database → backend service → client app—sensitive data can be exposed at each layer. The article outlines a three‑stage protection model:

Database side: restrict access and export permissions.

Backend application: avoid logging raw data and intercept SQL execution.

Client side: ensure only masked data is returned.

Database masking with MyBatis is achieved by adding encrypted fields (e.g., mobileEncrypt ) and annotating original fields with @EncryptTag . A custom MyBatis Interceptor intercepts Executor , ParameterHandler , ResultSetHandler , and StatementHandler to encrypt data before it is persisted and decrypt it when it is read back.

public class Employee {
    private Long id;
    private String name;
    @EncryptTag
    private String mobile;
    private String mobileEncrypt;
    private String email;
    private double salary;
}

@Intercepts({
    @Signature(type = Executor.class, method = "update", args = {MappedStatement.class, Object.class}),
    @Signature(type = Executor.class, method = "query", args = {MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class, CacheKey.class, BoundSql.class}),
    @Signature(type = ResultSetHandler.class, method = "handleResultSets", args = {Statement.class})
})
public class EncryptPlugin implements Interceptor {
    @Override
    public Object intercept(Invocation invocation) throws Throwable {
        // encryption logic
        return invocation.proceed();
    }
    // other required methods omitted for brevity
}

For historical data, a smooth migration process is recommended: add encrypted columns, perform double‑write, migrate existing records, switch reads to the encrypted column, and finally clear the plaintext column.

Log masking leverages Fastjson's serialization filters. Two approaches are discussed: annotation‑based @JSONField (not recommended due to high intrusion) and filter‑based masking using implementations such as PropertyPreFilter , PropertyFilter , NameFilter , ValueFilter , BeforeFilter , and AfterFilter . A custom ValueFilter can selectively desensitize fields during JSON conversion.

public class FastjsonValueFilter implements ValueFilter {
    @Override
    public Object process(Object object, String name, Object value) {
        if (needDesensitize(object, name)) {
            return desensitize(value);
        }
        return value;
    }
}
String s = JSON.toJSONString(new Person("131xxxx1552", "[email protected]"), new FastjsonValueFilter());

Output masking can be integrated at the Spring MVC layer by implementing WebMvcConfigurer and overriding configureMessageConverters to register global or class‑specific Fastjson filters.

@Configuration
public class FastJsonWebSerializationConfiguration implements WebMvcConfigurer {
    @Bean(name = "httpMessageConverters")
    public HttpMessageConverters fastJsonHttpMessageConverters() {
        FastJsonHttpMessageConverter fastConverter = new FastJsonHttpMessageConverter();
        FastJsonConfig fastJsonConfig = new FastJsonConfig();
        fastJsonConfig.setSerializerFeatures(SerializerFeature.PrettyFormat);
        fastJsonConfig.setSerializeFilters(new ValueDesensitizeFilter());
        Map
, SerializeFilter> classSerializeFilters = new HashMap<>();
        classSerializeFilters.put(Employee.class, new FastjsonValueFilter());
        fastJsonConfig.setClassSerializeFilters(classSerializeFilters);
        fastConverter.setFastJsonConfig(fastJsonConfig);
        fastConverter.setSupportedMediaTypes(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8));
        return new HttpMessageConverters(fastConverter);
    }
}

The article concludes that the presented masking strategies—database, log, and output—together with the provided code snippets, enable enterprises to meet security requirements while maintaining functional integrity.