Implementing RSA Encryption and Decryption in Spring Boot APIs

In modern projects, protecting data transmitted over APIs often requires encryption; RSA asymmetric encryption is a common choice because it uses a public key for encryption and a private key for decryption, preventing unauthorized parties from reading or tampering with the data.

The tutorial introduces a simple Spring Boot demo that encrypts API responses with RSA. It first explains RSA basics—how a key pair works, the difficulty of factoring large integers, and the difference between encryption (confidentiality) and signing (integrity).

Two illustrative scenarios are described: (1) A encrypts a command for B using A's public key, ensuring only A can decrypt it; (2) A signs a reply with its private key, allowing B to verify the signature with A's public key. The guide notes that combining encryption and signing provides both confidentiality and integrity.

Project setup includes creating a Spring Boot project, adding the Maven dependency <dependency> <groupId>cn.shuibo</groupId> <artifactId>rsa-encrypt-body-spring-boot</artifactId> <version>1.0.1.RELEASE</version> </dependency> , and enabling the security annotation with @SpringBootApplication @EnableSecurity public class DemoApplication { ... } .

The RSA keys are placed in application.yml (or application.properties ) under rsa.encrypt with flags open (true/false) and showLog , plus placeholders for publicKey and privateKey .

Controller methods are annotated to trigger automatic encryption/decryption: @Encrypt @GetMapping("/encryption") public TestBean encryption() { ... } and @Decrypt @PostMapping("/decryption") public String decryption(@RequestBody User user) { ... } .

On the front end, JSEncrypt is used to encrypt JSON payloads before sending them via AJAX. Example JavaScript code:

var PUBLIC_KEY = 'MIIBIjANBgkqh...';
function RSA_encryption(jsonData) {
    var encrypt = new JSEncrypt();
    encrypt.setPublicKey('-----BEGIN PUBLIC KEY-----' + PUBLIC_KEY + '-----END PUBLIC KEY-----');
    var encrypted = encrypt.encrypt(JSON.stringify(jsonData));
    console.log('Encrypted data:', encrypted);
    return encrypted;
}
function tijiao() {
    var str = {"name":"1223334","password":"asd",age:1};
    $.ajax({
        url: "/decryption",
        type: "POST",
        contentType: "application/json;charset=utf-8",
        data: RSA_encryption(str),
        success: function(data) { alert(data); }
    });
}

After enabling open: true in the configuration and restarting the application, requests to http://localhost:8080/encryption return encrypted JSON, and the front‑end can decrypt the response using the matching private key.

The article concludes that without the correct public/private keys, intercepted traffic cannot be deciphered, providing strong API protection. It also lists common pitfalls such as ensuring the correct contentType for AJAX requests and annotating the controller method with @RequestBody for decryption.