0

I am using Jackson to serialize POJOs to JSON before saving them to the database. For security reasons, I need to encrypt properties marked with the annotation, @Confidential. The fields (properties) that need to be encrypted need not be top-level fields and could be deeply nested.

For example, consider the following POJOs. homeAddress and age of the person need to be encrypted (they are not the top-level fields of the Neighborhood class).

@Serializable 
private class Neighborhood {
   private String name;
   private Collection<Person> people;
}

@Serializable
public class Person {
   private String name;

   @Confidential
   private int age;

   @Confidential
   private Address homeAddress;
}

@Serializable
public class Address {
   private String streetAddress;
   private String city;
   private String state;
   private int zip;
}

I am thinking of writing an annotation processor that creates a field registry. The registry will be created using reflection and will walk all classes marked with @Serializable annotation. The registry will have information about which fields need to be encrypted and which need not.

Now, after the Neighborhood POJO is serialized to JSON, I should be able to walk to the JSON and look up the fields in the field registry and do the needful. However, I do not know what to do if the properties are collections (i.e. Lists and Maps) and the generic type information is lost.

Questions:

  • Is there a better and simpler approach than the one that I described? If yes, what's that approach?

  • If there isn't a better approach, how do I process collections (lists and maps).

This question is not same as Customize Jackson ObjectMapper to Read custom Annotation and mask fields annotated

Here are the reason's why:

  • We do not know which classes and fields will be annotated with the @Confidential annotation. So not sure how I can generate all needed custom serializers on the fly and register them with a SerializationModule in Jackson's ObjectMapper.
  • The generated Serializer should know how to handle both encrypted and non-encrypted fields.
  • Not sure how I will inject the Encryption Client in to the Serializer.
user544192
  • 695
  • 2
  • 10
  • 23
  • Do you really need to `encrypt` them? Maybe easier would be do not include them to output `JSON` using [view](https://www.baeldung.com/jackson-json-view-annotation)? What do you think? In other case, how you would like to encrypt age which is int type? In class this is `int` but in `JSON` it should be `String` does not it? – Michał Ziober Jan 03 '19 at 23:11
  • Sorry, I do need to encrypt the fields marked as @Confidential. Not including them is not an option. – user544192 Jan 04 '19 at 19:09
  • I understand. Does link to duplicated question help somehow? If not, we can extend linked solution to handle properly other types then `String`. – Michał Ziober Jan 04 '19 at 19:49
  • The linked solution does not work for the cases where we don't know which classes and fields are marked as confidential. I modeled something based on https://github.com/codesqueak/jackson-json-crypto but ran into issues when the POJO fields are marked final. More details here: https://stackoverflow.com/questions/54086246 – user544192 Jan 08 '19 at 06:37

0 Answers0