How SmartAdmin Implements Level‑3 Security Protection

This article explains how the open‑source SmartAdmin project satisfies China’s Level‑3 security protection requirements by detailing identity verification, access control, audit, intrusion prevention, data integrity, confidentiality, backup, and masking, and shows the corresponding UI settings and backend code implementations.

Ubiquitous Tech
Ubiquitous Tech
Ubiquitous Tech
How SmartAdmin Implements Level‑3 Security Protection

SmartAdmin provides a complete implementation of the Level‑3 security protection standard defined in China’s Cybersecurity Law, which requires measures to prevent serious harm to public order, public interests, or national security when a protected system is compromised.

Technical Requirements of Level‑3 Protection

The standard covers five domains: physical security, network security, host security, application security, and data security. SmartAdmin addresses the application‑level requirements through configurable features.

Identity Verification

Unique user identifiers and complex credentials that must be changed regularly (recommended length 8‑20 characters, mixed case, digits, and special symbols).

Login‑failure handling: lock the account for 20 minutes after more than five failed attempts and automatically log out after 30 minutes of inactivity.

Secure transmission: use HTTPS or SM2/SM4/RSA encryption for passwords.

Multi‑factor authentication: combine password with a second factor such as a captcha, certificate, or token.

Access Control

Assign accounts and permissions per user; remove or rename default accounts and change default passwords.

Principle of least privilege: separate roles for system administrator, security administrator, and audit administrator, each with minimal required permissions.

Security Audit

Enable audit logging for every user, covering login and configuration operations.

Protect audit records from deletion or modification and back them up for at least six months.

Intrusion Prevention

Validate input data size, type, and illegal characters.

Regular vulnerability scanning and timely patching.

Data Integrity and Confidentiality

Use cryptographic hash (MD5 + salt) for password storage.

Enforce password complexity with the regular expression defined in SecurityPasswordService.

public static final String PASSWORD_PATTERN = "^(?![a-zA-Z]+$)(?![A-Z0-9]+$)(?![A-Z\\W_!@#$%^&*`~()\-+=]+$)(?![a-z0-9]+$)(?![a-z\\W_!@#$%^&*`~()\-+=]+$)(?![0-9\\W_!@#$%^&*`~()\-+=]+$)[a-zA-Z0-9\\W_!@#$%^&*`~()\-+=]*$";

Require password change every six months and forbid reuse of the last five passwords, recorded in the t_password_log table.

CREATE TABLE `t_password_log` (
  `id` bigint NOT NULL AUTO_INCREMENT COMMENT 'Primary key',
  `user_id` bigint NOT NULL COMMENT 'User ID',
  `user_type` tinyint NOT NULL COMMENT 'User type',
  `old_password` varchar(255) NOT NULL COMMENT 'Old password',
  `new_password` varchar(255) DEFAULT NULL COMMENT 'New password',
  `update_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT 'Update time',
  `create_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'Create time',
  PRIMARY KEY (`id`) USING BTREE,
  KEY `user_and_type_index` (`user_id`,`user_type`) USING BTREE
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8mb4 COMMENT='Password change log';

Data Backup and Recovery

Local backup and restore functions that allow direct import of backup files.

Real‑time remote backup across data centers (e.g., 30 km within the same city, 300 km between different cities).

Hot‑standby, clustering, and load‑balancing for high availability of application and database servers.

Data Masking

SmartAdmin uses the @DataMasking annotation on JavaBean fields and a custom serializer to mask sensitive data such as phone numbers, ID cards, addresses, emails, passwords, car plates, and bank cards.

public enum DataMaskingTypeEnum {
    COMMON(null, "Common"),
    PHONE(DesensitizedUtil.DesensitizedType.MOBILE_PHONE, "Phone"),
    CHINESE_NAME(DesensitizedUtil.DesensitizedType.CHINESE_NAME, "Chinese Name"),
    ID_CARD(DesensitizedUtil.DesensitizedType.ID_CARD, "ID Card"),
    FIXED_PHONE(DesensitizedUtil.DesensitizedType.FIXED_PHONE, "Fixed Phone"),
    ADDRESS(DesensitizedUtil.DesensitizedType.ADDRESS, "Address"),
    EMAIL(DesensitizedUtil.DesensitizedType.EMAIL, "Email"),
    PASSWORD(DesensitizedUtil.DesensitizedType.PASSWORD, "Password"),
    CAR_LICENSE(DesensitizedUtil.DesensitizedType.CAR_LICENSE, "Car License"),
    BANK_CARD(DesensitizedUtil.DesensitizedType.BANK_CARD, "Bank Card"),
    USER_ID(DesensitizedUtil.DesensitizedType.USER_ID, "User ID");
}

Example Java class:

@Data
public static class DataVO {
    @DataMasking(DataMaskingTypeEnum.USER_ID)
    private Long userId;
    @DataMasking(DataMaskingTypeEnum.PHONE)
    private String phone;
    @DataMasking(DataMaskingTypeEnum.ID_CARD)
    private String idCard;
    @DataMasking(DataMaskingTypeEnum.ADDRESS)
    private String address;
    @DataMasking(DataMaskingTypeEnum.PASSWORD)
    private String password;
    @DataMasking(DataMaskingTypeEnum.EMAIL)
    private String email;
    @DataMasking(DataMaskingTypeEnum.CAR_LICENSE)
    private String carLicense;
    @DataMasking(DataMaskingTypeEnum.BANK_CARD)
    private String bankCard;
    @DataMasking
    private String other;
}

Implementation Walk‑through

The security settings are configured through the “Network Security” menu in the admin UI, where options such as enabling two‑factor login, setting the maximum consecutive login failures, lock duration, auto‑logout timeout, password complexity, and password change interval are defined. When the user saves the form, the front‑end calls the AdminProtectController endpoint, which stores the values in a configuration table using a key‑enum mapping.

Backend service stores the configuration:

// Example of storing configuration key‑value pairs
@Service
public class ConfigService {
    public void saveConfig(Level3ProtectConfigForm form) {
        // Convert form fields to enum keys and persist
        // ...
    }
}

Login handling uses the LoginService class. If two‑factor authentication is enabled, the system sends an email verification code and validates it via sendEmailCode and validateEmailCode. Session timeout is enforced by Sa‑Token’s setActiveTimeout method (see the setProp snippet above). Password encryption before sending the login request is performed in login.vue using the encryptData utility, which supports SM4 and AES algorithms. The back‑end decrypts the password with ApiEncryptService.

Overall, SmartAdmin demonstrates a practical, configurable approach to meeting Level‑3 protection requirements, providing concrete code patterns that developers can adapt for their own systems.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaAccess ControlIdentity VerificationData MaskingSecurity DesignLevel‑3 ProtectionSmartAdmin
Ubiquitous Tech
Written by

Ubiquitous Tech

A ubiquitous public account for pirate enthusiasts, regularly sharing curated experiences, tech learning, and growth insights. Currently publishing articles on AI RAG customer service, AI MCP technology, and open-source design. Personal free Knowledge Planet: Awakening New World Programmer.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.