Log Data Masking Solution for Java Spring Applications

The article begins with an analysis of the increasing incidents of personal information theft and the regulatory push for data protection, emphasizing the need for data masking when displaying user data.

Data masking (also called data de‑identification) is defined as the transformation of sensitive fields such as names, ID numbers, phone numbers, addresses, emails, and passwords to protect privacy.

The scope of the solution is limited to Java projects built on the Spring framework, focusing on log output masking.

Two common log‑masking approaches are described: (1) a global SLF4J regular‑expression matcher that requires no code changes but incurs high CPU cost, and (2) manual utility‑class conversion that offers precise control but demands extensive code modifications.

A hybrid third approach is proposed, combining the strengths of the first two methods: using object annotations together with a custom log‑masking method.

The design consists of three parts: Masking Tools – a utility class (SensitiveUtils) providing specific masking functions for phone numbers, names, IDs, etc.; Object Annotation – a @SensitiveMaskField annotation that marks sensitive fields, processed by a custom Jackson serializer; and SLF4J Extension – additional methods such as maskInfo , maskWarn , etc., added to the logger interface to replace standard logging calls without breaking existing log formats.

Implementation steps include creating the @SensitiveMaskField annotation, defining an enum to map annotation values to masking functions, and implementing public class SensitiveMaskDataSerializer extends JsonSerializer implements ContextualSerializer to handle annotated fields during JSON serialization.

Example usage shows how a logger call like log.maskInfo("就在北京市十五届人大五次会议闭幕"); log.maskInfo("北京今日标题：{}, {}", "稳住农业基本盘做好三农工作", "巩固拓展脱贫攻坚成果"); produces masked output such as 就在北***五届人大***议闭幕 and 北京今日标题：稳住农***盘做好三***, 巩固拓***攻坚成果 .

The solution reduces CPU consumption, avoids full regex scans, allows gradual code migration, and maintains original log formats, making it suitable for backend Java services that require secure log handling.