Implementing Data Masking in MySQL and Java with MyBatis‑Mate Sensitive Jackson

1. SQL Data Masking Implementation

Shows how to mask phone numbers and ID cards in MySQL using string functions CONCAT() , LEFT() and RIGHT() .

-- CONCAT(), LEFT() and RIGHT() string functions combination
-- Phone number masking SQL:
SELECT mobilePhone AS 原手机号,
       CONCAT(LEFT(mobilePhone,3), '********') AS 脱敏后手机号
FROM t_s_user;

-- ID card masking SQL:
SELECT idcard AS 原身份证,
       CONCAT(LEFT(idcard,3), '****', RIGHT(idcard,4)) AS 脱敏后身份证号
FROM t_s_user;

2. Java Data Masking Implementation

References the open‑source project sensitive-plus , which supports address, bank card, Chinese name, landline, ID card, mobile, and password masking via regular expressions or length‑based rules.

3. mybatis‑mate‑sensitive‑jackson

A MyBatis‑Mate extension that applies masking strategies to entity fields using the @FieldSensitive annotation. The article provides the full source tree, including Maven pom.xml , Spring Boot configuration, custom strategy beans, entity definitions, controller, mapper, and test calls.

# pom.xml (excerpt)
com.baomidou
mybatis-mate-examples
0.0.1-SNAPSHOT
4.0.0
mybatis-mate-sensitive-jackson
mysql
mysql-connector-java

# application.yml (excerpt)
spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: jdbc:mysql://localhost:3306/mybatis_mate?useSSL=false&useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC
    username: root
    password: 123456
mybatis-mate:
  cert:
    grant: thisIsTestLicense
    license: ... (test license string)

// SensitiveStrategyConfig.java
@Configuration
public class SensitiveStrategyConfig {
    @Bean
    public ISensitiveStrategy sensitiveStrategy() {
        // custom "testStrategy" implementation
        return new SensitiveStrategy().addStrategy("testStrategy", t -> t + "***test***");
    }
}

// User entity with masking annotations
@Getter
@Setter
public class User {
    private Long id;
    @FieldSensitive("testStrategy")
    private String username; // custom strategy
    @FieldSensitive(SensitiveType.mobile)
    private String mobile;   // built‑in mobile masking
    @FieldSensitive(SensitiveType.email)
    private String email;    // built‑in email masking
}

// UserController demonstrating masked responses
@RestController
public class UserController {
    @Autowired private UserMapper userMapper;
    @Autowired private ISensitiveStrategy sensitiveStrategy;

    @GetMapping("/info")
    public User info() { return userMapper.selectById(1L); }

    @GetMapping("/map")
    public Map
map() {
        Map
userMap = new HashMap<>();
        userMap.put("user", userMapper.selectById(1L));
        userMap.put("mobile", sensitiveStrategy.getStrategyFunctionMap()
                .get(SensitiveType.mobile).apply("15315388888"));
        return userMap;
    }

    @GetMapping("/list")
    public List
list(HttpServletRequest request) {
        if ("1".equals(request.getParameter("skip"))) {
            RequestDataTransfer.skipSensitive(); // skip masking
        }
        return userMapper.selectList(null);
    }
}

The provided test calls show JSON responses with masked fields (e.g., usernames become Jone***test*** , mobiles become 153******81 , emails become t****@baomidou.com ) and the same data without masking when the skip=1 parameter is used.

Overall, the article offers a practical guide for developers to implement data desensitization at both the database and application layers, leveraging MySQL functions, a Java masking library, and a configurable MyBatis‑Mate extension.