How to Implement Enterprise Data Desensitization with MyBatis and Fastjson

Introduction

In recent years, frequent user data leaks have forced enterprises to strengthen data security. Apart from tightening permission controls, technical desensitization of personal information is required to protect privacy and comply with regulations.

Desensitization Methods

Masking : Replace sensitive parts with symbols (e.g., show only the last four digits of a phone number).

Obfuscation : Randomly transform or truncate data so that the original value becomes unreadable.

Encryption : Encrypt sensitive fields with a key; the ciphertext is stored and can be decrypted only with the correct key. Symmetric encryption allows reversible de‑cryption when needed.

Typical sensitive fields include names, phone numbers, ID numbers, bank cards, email addresses, home addresses, and passwords. The Hutool library offers many ready‑made desensitization utilities.

Enterprise Desensitization Architecture

Data usually flows through three layers: the database, backend services, and the client application. Each layer can be a point for applying desensitization.

Database side : Original data is stored; privileged users can view or export it.

Backend application : Logs may capture raw data, which can be a leakage source.

Application output : Clients retrieve data from the backend, potentially exposing raw values.

Database Desensitization with MyBatis

MyBatis provides a plugin mechanism that can intercept SQL execution. By creating an EncryptPlugin and a DecryptPlugin, fields annotated with @EncryptTag are automatically encrypted before persistence and decrypted after retrieval.

To migrate existing plaintext data without service interruption, follow a smooth‑desensitization process:

Add a new encrypted field (e.g., mobileEncrypt) alongside the original field.

Write both fields during new inserts/updates (double write).

Migrate historical data into the encrypted column.

Switch read operations to the encrypted field.

After verification, clear the original plaintext column.

public class Employee {
    private Long id;
    private String name;
    @EncryptTag
    private String mobile;
    private String mobileEncrypt;
    private String email;
    private double salary;
}

@Intercepts({@Signature(type = Executor.class, method = "update", args = {MappedStatement.class, Object.class})})
public class EncryptPlugin implements Interceptor {
    @Override
    public Object intercept(Invocation invocation) throws Throwable {
        // encrypt logic
        return invocation.proceed();
    }
    // plugin and setProperties omitted for brevity
}

@Intercepts({@Signature(type = ResultSetHandler.class, method = "handleResultSets", args = {Statement.class})})
public class DecryptPlugin implements Interceptor {
    @Override
    public Object intercept(Invocation invocation) throws Throwable {
        Object result = invocation.proceed();
        // decrypt logic
        return result;
    }
}

Log Desensitization with Fastjson

Fastjson’s SerializeFilter hierarchy allows custom serialization. Implement a ValueFilter that replaces sensitive values during JSON generation.

public class FastjsonValueFilter implements ValueFilter {
    @Override
    public Object process(Object object, String name, Object value) {
        if (needDesensitize(object, name)) {
            return desensitize(value);
        }
        return value;
    }
}
String json = JSON.toJSONString(new Person("131xxxx1552", "[email protected]"), new FastjsonValueFilter());

Output Desensitization via Spring MVC

For Spring Boot applications, implement WebMvcConfigurer and override configureMessageConverters to register a global Fastjson converter with custom ValueFilter instances.

@Configuration
public class FastJsonWebSerializationConfiguration implements WebMvcConfigurer {
    @Bean(name = "httpMessageConverters")
    public HttpMessageConverters fastJsonHttpMessageConverters() {
        FastJsonHttpMessageConverter fastConverter = new FastJsonHttpMessageConverter();
        FastJsonConfig fastJsonConfig = new FastJsonConfig();
        fastJsonConfig.setSerializerFeatures(SerializerFeature.PrettyFormat);
        fastJsonConfig.setSerializeFilters(new ValueDesensitizeFilter());
        fastConverter.setFastJsonConfig(fastJsonConfig);
        return new HttpMessageConverters(fastConverter);
    }
}

Conclusion

The article presents a complete enterprise‑level data desensitization strategy, covering database, log, and output layers, and supplies concrete Java code snippets that can be adapted to real‑world projects.