Implementing Request and Response Encryption in Spring Boot with ControllerAdvice

The author starts by outlining the security requirements for an API that must support both GET and POST methods, minimal impact on existing business logic, and separate keys for H5 versus native mobile clients. A simple data model is defined, including a @Data annotated User class and a UserType enum with custom toString() for JSON representation.

Next, a basic UserController is shown, exposing /user/list and /secret/user/list endpoints that return a list of User objects wrapped in a custom ResponseEntity . Sample request and response payloads (both plain and encrypted) are displayed to illustrate the expected format.

To handle decryption, a SecretRequestAdvice extending RequestBodyAdviceAdapter is introduced. It checks a thread‑local flag, reads the raw request body, validates required headers ( clientType , timestamp , salt , signature ), performs signature verification, and finally decrypts the data field using AES.

For encryption, a SecretResponseAdvice implementing ResponseBodyAdvice is provided. It determines whether encryption is needed, serializes the response object, adds a timestamp, salt, and signature, and encrypts the resulting JSON string. The original implementation used FastJson ( JSON.toJSONString(o) ), which caused enum and LocalDateTime formatting issues.

To resolve these issues, the author switches to Jackson by injecting an ObjectMapper and calling objectMapper.writeValueAsString(o) . Additional Jackson configuration is shown to enforce the desired date format ( yyyy-MM-dd HH:mm:ss ) for LocalDateTime fields, ensuring the encrypted payload matches the non‑encrypted version.

The article concludes with a discussion of how Spring MVC’s RequestResponseBodyMethodProcessor ultimately delegates serialization to AbstractJackson2HttpMessageConverter , confirming that using the container‑managed ObjectMapper guarantees consistent serialization across the application.