├── .gitignore ├── README.md ├── build.gradle ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── settings.gradle └── src ├── main ├── java │ └── com │ │ └── arnoldgalovics │ │ └── blog │ │ └── hibernateencryptionlistener │ │ ├── HibernateInterceptorApplication.java │ │ ├── TransactionalRunner.java │ │ ├── config │ │ ├── DatasourceProxyBeanPostProcessor.java │ │ └── EncryptionBeanPostProcessor.java │ │ ├── encryption │ │ ├── Decrypter.java │ │ ├── Encrypted.java │ │ ├── Encrypter.java │ │ ├── EncryptionListener.java │ │ ├── EncryptionUtils.java │ │ ├── FieldDecrypter.java │ │ └── FieldEncrypter.java │ │ └── repository │ │ └── Phone.java └── resources │ └── application.yml └── test └── java └── com └── arnoldgalovics └── blog └── hibernateencryptionlistener └── PhoneEncryptionTest.java /.gitignore: -------------------------------------------------------------------------------- 1 | .gradle 2 | /build/ 3 | !gradle/wrapper/gradle-wrapper.jar 4 | 5 | ### STS ### 6 | .apt_generated 7 | .classpath 8 | .factorypath 9 | .project 10 | .settings 11 | .springBeans 12 | .sts4-cache 13 | 14 | ### IntelliJ IDEA ### 15 | .idea 16 | *.iws 17 | *.iml 18 | *.ipr 19 | /out/ 20 | 21 | ### NetBeans ### 22 | /nbproject/private/ 23 | /nbbuild/ 24 | /dist/ 25 | /nbdist/ 26 | /.nb-gradle/ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # About the project 2 | The project is a showcase for the following article: https://blog.arnoldgalovics.com/encrypting-jpa-entity-attributes-using-listeners-in-spring 3 | 4 | It shows how to use JPA with Spring to do database encryption and decryption without explicitly handling it. 5 | The main goal was to show how to use event listeners in Hibernate to achieve this behavior 6 | and additionally to handle Spring's dependency injection in these listeners. -------------------------------------------------------------------------------- /build.gradle: -------------------------------------------------------------------------------- 1 | buildscript { 2 | ext { 3 | springBootVersion = '1.5.16.RELEASE' 4 | } 5 | repositories { 6 | mavenCentral() 7 | } 8 | dependencies { 9 | classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}") 10 | } 11 | } 12 | 13 | apply plugin: 'java' 14 | apply plugin: 'eclipse' 15 | apply plugin: 'org.springframework.boot' 16 | 17 | group = 'com.arnoldgalovics.blog' 18 | version = '0.0.1-SNAPSHOT' 19 | sourceCompatibility = 1.8 20 | 21 | repositories { 22 | mavenCentral() 23 | } 24 | 25 | 26 | dependencies { 27 | compile('org.springframework.boot:spring-boot-starter-data-jpa') 28 | compile('net.ttddyy:datasource-proxy:1.4.1') 29 | runtime('com.h2database:h2') 30 | testCompile('org.springframework.boot:spring-boot-starter-test') 31 | } 32 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/galovics/hibernate-encryption-listener/34de45c7680cad5d947efb05492660aa50a7a7db/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | zipStoreBase=GRADLE_USER_HOME 4 | zipStorePath=wrapper/dists 5 | distributionUrl=https\://services.gradle.org/distributions/gradle-3.5.1-bin.zip 6 | -------------------------------------------------------------------------------- /gradlew: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | ############################################################################## 4 | ## 5 | ## Gradle start up script for UN*X 6 | ## 7 | ############################################################################## 8 | 9 | # Attempt to set APP_HOME 10 | # Resolve links: $0 may be a link 11 | PRG="$0" 12 | # Need this for relative symlinks. 13 | while [ -h "$PRG" ] ; do 14 | ls=`ls -ld "$PRG"` 15 | link=`expr "$ls" : '.*-> \(.*\)$'` 16 | if expr "$link" : '/.*' > /dev/null; then 17 | PRG="$link" 18 | else 19 | PRG=`dirname "$PRG"`"/$link" 20 | fi 21 | done 22 | SAVED="`pwd`" 23 | cd "`dirname \"$PRG\"`/" >/dev/null 24 | APP_HOME="`pwd -P`" 25 | cd "$SAVED" >/dev/null 26 | 27 | APP_NAME="Gradle" 28 | APP_BASE_NAME=`basename "$0"` 29 | 30 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 31 | DEFAULT_JVM_OPTS="" 32 | 33 | # Use the maximum available, or set MAX_FD != -1 to use that value. 34 | MAX_FD="maximum" 35 | 36 | warn ( ) { 37 | echo "$*" 38 | } 39 | 40 | die ( ) { 41 | echo 42 | echo "$*" 43 | echo 44 | exit 1 45 | } 46 | 47 | # OS specific support (must be 'true' or 'false'). 48 | cygwin=false 49 | msys=false 50 | darwin=false 51 | nonstop=false 52 | case "`uname`" in 53 | CYGWIN* ) 54 | cygwin=true 55 | ;; 56 | Darwin* ) 57 | darwin=true 58 | ;; 59 | MINGW* ) 60 | msys=true 61 | ;; 62 | NONSTOP* ) 63 | nonstop=true 64 | ;; 65 | esac 66 | 67 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 68 | 69 | # Determine the Java command to use to start the JVM. 70 | if [ -n "$JAVA_HOME" ] ; then 71 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 72 | # IBM's JDK on AIX uses strange locations for the executables 73 | JAVACMD="$JAVA_HOME/jre/sh/java" 74 | else 75 | JAVACMD="$JAVA_HOME/bin/java" 76 | fi 77 | if [ ! -x "$JAVACMD" ] ; then 78 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 79 | 80 | Please set the JAVA_HOME variable in your environment to match the 81 | location of your Java installation." 82 | fi 83 | else 84 | JAVACMD="java" 85 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 86 | 87 | Please set the JAVA_HOME variable in your environment to match the 88 | location of your Java installation." 89 | fi 90 | 91 | # Increase the maximum file descriptors if we can. 92 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then 93 | MAX_FD_LIMIT=`ulimit -H -n` 94 | if [ $? -eq 0 ] ; then 95 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then 96 | MAX_FD="$MAX_FD_LIMIT" 97 | fi 98 | ulimit -n $MAX_FD 99 | if [ $? -ne 0 ] ; then 100 | warn "Could not set maximum file descriptor limit: $MAX_FD" 101 | fi 102 | else 103 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" 104 | fi 105 | fi 106 | 107 | # For Darwin, add options to specify how the application appears in the dock 108 | if $darwin; then 109 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" 110 | fi 111 | 112 | # For Cygwin, switch paths to Windows format before running java 113 | if $cygwin ; then 114 | APP_HOME=`cygpath --path --mixed "$APP_HOME"` 115 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` 116 | JAVACMD=`cygpath --unix "$JAVACMD"` 117 | 118 | # We build the pattern for arguments to be converted via cygpath 119 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` 120 | SEP="" 121 | for dir in $ROOTDIRSRAW ; do 122 | ROOTDIRS="$ROOTDIRS$SEP$dir" 123 | SEP="|" 124 | done 125 | OURCYGPATTERN="(^($ROOTDIRS))" 126 | # Add a user-defined pattern to the cygpath arguments 127 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then 128 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" 129 | fi 130 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 131 | i=0 132 | for arg in "$@" ; do 133 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` 134 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option 135 | 136 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition 137 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` 138 | else 139 | eval `echo args$i`="\"$arg\"" 140 | fi 141 | i=$((i+1)) 142 | done 143 | case $i in 144 | (0) set -- ;; 145 | (1) set -- "$args0" ;; 146 | (2) set -- "$args0" "$args1" ;; 147 | (3) set -- "$args0" "$args1" "$args2" ;; 148 | (4) set -- "$args0" "$args1" "$args2" "$args3" ;; 149 | (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; 150 | (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; 151 | (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; 152 | (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; 153 | (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; 154 | esac 155 | fi 156 | 157 | # Escape application args 158 | save ( ) { 159 | for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done 160 | echo " " 161 | } 162 | APP_ARGS=$(save "$@") 163 | 164 | # Collect all arguments for the java command, following the shell quoting and substitution rules 165 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" 166 | 167 | # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong 168 | if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then 169 | cd "$(dirname "$0")" 170 | fi 171 | 172 | exec "$JAVACMD" "$@" 173 | -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- 1 | @if "%DEBUG%" == "" @echo off 2 | @rem ########################################################################## 3 | @rem 4 | @rem Gradle startup script for Windows 5 | @rem 6 | @rem ########################################################################## 7 | 8 | @rem Set local scope for the variables with windows NT shell 9 | if "%OS%"=="Windows_NT" setlocal 10 | 11 | set DIRNAME=%~dp0 12 | if "%DIRNAME%" == "" set DIRNAME=. 13 | set APP_BASE_NAME=%~n0 14 | set APP_HOME=%DIRNAME% 15 | 16 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 17 | set DEFAULT_JVM_OPTS= 18 | 19 | @rem Find java.exe 20 | if defined JAVA_HOME goto findJavaFromJavaHome 21 | 22 | set JAVA_EXE=java.exe 23 | %JAVA_EXE% -version >NUL 2>&1 24 | if "%ERRORLEVEL%" == "0" goto init 25 | 26 | echo. 27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 28 | echo. 29 | echo Please set the JAVA_HOME variable in your environment to match the 30 | echo location of your Java installation. 31 | 32 | goto fail 33 | 34 | :findJavaFromJavaHome 35 | set JAVA_HOME=%JAVA_HOME:"=% 36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 37 | 38 | if exist "%JAVA_EXE%" goto init 39 | 40 | echo. 41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 42 | echo. 43 | echo Please set the JAVA_HOME variable in your environment to match the 44 | echo location of your Java installation. 45 | 46 | goto fail 47 | 48 | :init 49 | @rem Get command-line arguments, handling Windows variants 50 | 51 | if not "%OS%" == "Windows_NT" goto win9xME_args 52 | 53 | :win9xME_args 54 | @rem Slurp the command line arguments. 55 | set CMD_LINE_ARGS= 56 | set _SKIP=2 57 | 58 | :win9xME_args_slurp 59 | if "x%~1" == "x" goto execute 60 | 61 | set CMD_LINE_ARGS=%* 62 | 63 | :execute 64 | @rem Setup the command line 65 | 66 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 67 | 68 | @rem Execute Gradle 69 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% 70 | 71 | :end 72 | @rem End local scope for the variables with windows NT shell 73 | if "%ERRORLEVEL%"=="0" goto mainEnd 74 | 75 | :fail 76 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 77 | rem the _cmd.exe /c_ return code! 78 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 79 | exit /b 1 80 | 81 | :mainEnd 82 | if "%OS%"=="Windows_NT" endlocal 83 | 84 | :omega 85 | -------------------------------------------------------------------------------- /settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name = 'hibernate-encryption-listener' 2 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/HibernateInterceptorApplication.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class HibernateInterceptorApplication { 8 | public static void main(String[] args) { 9 | SpringApplication.run(HibernateInterceptorApplication.class, args); 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/TransactionalRunner.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener; 2 | 3 | import org.springframework.stereotype.Component; 4 | import org.springframework.transaction.annotation.Propagation; 5 | import org.springframework.transaction.annotation.Transactional; 6 | 7 | import javax.persistence.EntityManager; 8 | import javax.persistence.PersistenceContext; 9 | import java.util.function.Consumer; 10 | import java.util.function.Function; 11 | 12 | @Component 13 | public class TransactionalRunner { 14 | @PersistenceContext 15 | private EntityManager em; 16 | 17 | @Transactional(propagation = Propagation.REQUIRES_NEW) 18 | public void doInTransaction(final Consumer c) { 19 | c.accept(em); 20 | } 21 | 22 | @Transactional(propagation = Propagation.REQUIRES_NEW) 23 | public T doInTransaction(final Function f) { 24 | return f.apply(em); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/config/DatasourceProxyBeanPostProcessor.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.config; 2 | 3 | import javax.sql.DataSource; 4 | 5 | import net.ttddyy.dsproxy.support.ProxyDataSourceBuilder; 6 | import org.springframework.beans.BeansException; 7 | import org.springframework.beans.factory.config.BeanPostProcessor; 8 | import org.springframework.stereotype.Component; 9 | 10 | @Component 11 | public class DatasourceProxyBeanPostProcessor implements BeanPostProcessor { 12 | @Override 13 | public Object postProcessBeforeInitialization(final Object bean, final String beanName) throws BeansException { 14 | return bean; 15 | } 16 | 17 | @Override 18 | public Object postProcessAfterInitialization(final Object bean, final String beanName) throws BeansException { 19 | if (bean instanceof DataSource) { 20 | DataSource dataSourceBean = (DataSource) bean; 21 | return ProxyDataSourceBuilder.create(dataSourceBean).name("dataSource").countQuery().build(); 22 | } 23 | return bean; 24 | } 25 | } -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/config/EncryptionBeanPostProcessor.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.config; 2 | 3 | import com.arnoldgalovics.blog.hibernateencryptionlistener.encryption.EncryptionListener; 4 | import org.hibernate.event.service.spi.EventListenerRegistry; 5 | import org.hibernate.event.spi.EventType; 6 | import org.hibernate.internal.SessionFactoryImpl; 7 | import org.hibernate.jpa.HibernateEntityManagerFactory; 8 | import org.slf4j.Logger; 9 | import org.slf4j.LoggerFactory; 10 | import org.springframework.beans.BeansException; 11 | import org.springframework.beans.factory.annotation.Autowired; 12 | import org.springframework.beans.factory.config.BeanPostProcessor; 13 | import org.springframework.stereotype.Component; 14 | 15 | import javax.persistence.EntityManagerFactory; 16 | 17 | @Component 18 | public class EncryptionBeanPostProcessor implements BeanPostProcessor { 19 | private static final Logger logger = LoggerFactory.getLogger(EncryptionBeanPostProcessor.class); 20 | 21 | @Autowired 22 | private EncryptionListener encryptionListener; 23 | 24 | @Override 25 | public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException { 26 | return bean; 27 | } 28 | 29 | @Override 30 | public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException { 31 | if (bean instanceof EntityManagerFactory) { 32 | HibernateEntityManagerFactory hibernateEntityManagerFactory = (HibernateEntityManagerFactory) bean; 33 | SessionFactoryImpl sessionFactoryImpl = (SessionFactoryImpl) hibernateEntityManagerFactory.getSessionFactory(); 34 | EventListenerRegistry registry = sessionFactoryImpl.getServiceRegistry().getService(EventListenerRegistry.class); 35 | registry.appendListeners(EventType.PRE_LOAD, encryptionListener); 36 | registry.appendListeners(EventType.PRE_INSERT, encryptionListener); 37 | registry.appendListeners(EventType.PRE_UPDATE, encryptionListener); 38 | logger.info("Encryption has been successfully set up"); 39 | } 40 | return bean; 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/encryption/Decrypter.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.encryption; 2 | 3 | import org.springframework.stereotype.Component; 4 | 5 | import java.nio.charset.StandardCharsets; 6 | import java.util.Base64; 7 | 8 | @Component 9 | public class Decrypter { 10 | public String decrypt(String value) { 11 | return new String(Base64.getDecoder().decode(value.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/encryption/Encrypted.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.encryption; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | 8 | @Target(ElementType.FIELD) 9 | @Retention(RetentionPolicy.RUNTIME) 10 | public @interface Encrypted { 11 | } 12 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/encryption/Encrypter.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.encryption; 2 | 3 | import org.springframework.stereotype.Component; 4 | 5 | import java.nio.charset.StandardCharsets; 6 | import java.util.Base64; 7 | 8 | @Component 9 | public class Encrypter { 10 | public String encrypt(String value) { 11 | return Base64.getEncoder().encodeToString(value.getBytes(StandardCharsets.UTF_8)); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/encryption/EncryptionListener.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.encryption; 2 | 3 | import org.hibernate.event.spi.*; 4 | import org.springframework.beans.factory.annotation.Autowired; 5 | import org.springframework.stereotype.Component; 6 | 7 | @Component 8 | public class EncryptionListener implements PreInsertEventListener, PreUpdateEventListener, PreLoadEventListener { 9 | @Autowired 10 | private FieldEncrypter fieldEncrypter; 11 | 12 | @Autowired 13 | private FieldDecrypter fieldDecrypter; 14 | 15 | @Override 16 | public boolean onPreInsert(PreInsertEvent event) { 17 | Object[] state = event.getState(); 18 | String[] propertyNames = event.getPersister().getPropertyNames(); 19 | Object entity = event.getEntity(); 20 | fieldEncrypter.encrypt(state, propertyNames, entity); 21 | return false; 22 | } 23 | 24 | @Override 25 | public boolean onPreUpdate(PreUpdateEvent event) { 26 | Object[] state = event.getState(); 27 | String[] propertyNames = event.getPersister().getPropertyNames(); 28 | Object entity = event.getEntity(); 29 | fieldEncrypter.encrypt(state, propertyNames, entity); 30 | return false; 31 | } 32 | 33 | @Override 34 | public void onPreLoad(PreLoadEvent event) { 35 | Object[] state = event.getState(); 36 | String[] propertyNames = event.getPersister().getPropertyNames(); 37 | Object entity = event.getEntity(); 38 | fieldDecrypter.decrypt(state, propertyNames, entity); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/encryption/EncryptionUtils.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.encryption; 2 | 3 | import org.springframework.core.annotation.AnnotationUtils; 4 | 5 | import java.lang.reflect.Field; 6 | 7 | public abstract class EncryptionUtils { 8 | public static boolean isFieldEncrypted(Field field) { 9 | return AnnotationUtils.findAnnotation(field, Encrypted.class) != null; 10 | } 11 | 12 | public static int getPropertyIndex(String name, String[] properties) { 13 | for (int i = 0; i < properties.length; i++) { 14 | if (name.equals(properties[i])) { 15 | return i; 16 | } 17 | } 18 | throw new IllegalArgumentException("No property was found for name " + name); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/encryption/FieldDecrypter.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.encryption; 2 | 3 | import java.lang.reflect.Field; 4 | 5 | import org.springframework.beans.factory.annotation.Autowired; 6 | import org.springframework.stereotype.Component; 7 | import org.springframework.util.ReflectionUtils; 8 | 9 | @Component 10 | public class FieldDecrypter { 11 | @Autowired 12 | private Decrypter decrypter; 13 | 14 | public void decrypt(Object[] state, String[] propertyNames, Object entity) { 15 | ReflectionUtils.doWithFields(entity.getClass(), field -> decryptField(field, state, propertyNames), EncryptionUtils::isFieldEncrypted); 16 | } 17 | 18 | private void decryptField(Field field, Object[] state, String[] propertyNames) { 19 | int propertyIndex = EncryptionUtils.getPropertyIndex(field.getName(), propertyNames); 20 | Object currentValue = state[propertyIndex]; 21 | if (currentValue != null) { 22 | if (!(currentValue instanceof String)) { 23 | throw new IllegalStateException("Encrypted annotation was used on a non-String field"); 24 | } 25 | state[propertyIndex] = decrypter.decrypt(currentValue.toString()); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/encryption/FieldEncrypter.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.encryption; 2 | 3 | import org.springframework.beans.factory.annotation.Autowired; 4 | import org.springframework.stereotype.Component; 5 | import org.springframework.util.ReflectionUtils; 6 | 7 | import java.lang.reflect.Field; 8 | 9 | @Component 10 | public class FieldEncrypter { 11 | @Autowired 12 | private Encrypter encrypter; 13 | 14 | public void encrypt(Object[] state, String[] propertyNames, Object entity) { 15 | ReflectionUtils.doWithFields(entity.getClass(), field -> encryptField(field, state, propertyNames), EncryptionUtils::isFieldEncrypted); 16 | } 17 | 18 | private void encryptField(Field field, Object[] state, String[] propertyNames) { 19 | int propertyIndex = EncryptionUtils.getPropertyIndex(field.getName(), propertyNames); 20 | Object currentValue = state[propertyIndex]; 21 | if (currentValue != null) { 22 | if (!(currentValue instanceof String)) { 23 | throw new IllegalStateException("Encrypted annotation was used on a non-String field"); 24 | } 25 | state[propertyIndex] = encrypter.encrypt(currentValue.toString()); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/arnoldgalovics/blog/hibernateencryptionlistener/repository/Phone.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener.repository; 2 | 3 | import com.arnoldgalovics.blog.hibernateencryptionlistener.encryption.Encrypted; 4 | 5 | import javax.persistence.Column; 6 | import javax.persistence.Entity; 7 | import javax.persistence.Id; 8 | import java.util.UUID; 9 | 10 | @Entity 11 | public class Phone { 12 | @Id 13 | private UUID id; 14 | 15 | @Column(name = "phone_number") 16 | @Encrypted 17 | private String phoneNumber; 18 | 19 | protected Phone() { 20 | } 21 | 22 | public Phone(String phoneNumber) { 23 | this.id = UUID.randomUUID(); 24 | this.phoneNumber = phoneNumber; 25 | } 26 | 27 | public UUID getId() { 28 | return id; 29 | } 30 | 31 | public String getPhoneNumber() { 32 | return phoneNumber; 33 | } 34 | 35 | public void setPhoneNumber(String phoneNumber) { 36 | this.phoneNumber = phoneNumber; 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | spring: 2 | jpa: 3 | properties: 4 | hibernate: 5 | show_sql: true 6 | format_sql: true 7 | logging: 8 | level: 9 | root: error 10 | -------------------------------------------------------------------------------- /src/test/java/com/arnoldgalovics/blog/hibernateencryptionlistener/PhoneEncryptionTest.java: -------------------------------------------------------------------------------- 1 | package com.arnoldgalovics.blog.hibernateencryptionlistener; 2 | 3 | import com.arnoldgalovics.blog.hibernateencryptionlistener.repository.Phone; 4 | import net.ttddyy.dsproxy.QueryCountHolder; 5 | import org.junit.After; 6 | import org.junit.Test; 7 | import org.junit.runner.RunWith; 8 | import org.springframework.beans.factory.annotation.Autowired; 9 | import org.springframework.boot.test.context.SpringBootTest; 10 | import org.springframework.test.context.junit4.SpringRunner; 11 | 12 | import javax.persistence.Query; 13 | import java.util.UUID; 14 | 15 | import static org.assertj.core.api.Assertions.assertThat; 16 | 17 | @RunWith(SpringRunner.class) 18 | @SpringBootTest 19 | public class PhoneEncryptionTest { 20 | @Autowired 21 | private TransactionalRunner txRunner; 22 | 23 | @After 24 | public void tearDown() { 25 | txRunner.doInTransaction(em -> { 26 | em.createQuery("DELETE FROM Phone").executeUpdate(); 27 | }); 28 | QueryCountHolder.clear(); 29 | } 30 | 31 | @Test 32 | public void testInsertionWorks() { 33 | String expectedPhoneNumber = "00361234567"; 34 | // Persisting a phone entity through JPA, this should decrypt the phone number column 35 | UUID phoneId = txRunner.doInTransaction(em -> { 36 | Phone newPhone = new Phone(expectedPhoneNumber); 37 | em.persist(newPhone); 38 | return newPhone.getId(); 39 | }); 40 | 41 | // Checks if the database has the phone number value in an encrypted form 42 | txRunner.doInTransaction(em -> { 43 | Query query = em.createNativeQuery("SELECT phone_number FROM Phone where id = :phoneId"); 44 | query.setParameter("phoneId", phoneId); 45 | String nativePhoneNumber = (String) query.getSingleResult(); 46 | assertThat(nativePhoneNumber).isNotEqualTo(expectedPhoneNumber); 47 | }); 48 | 49 | // Checks if the decryption happened automatically when getting the row through JPA 50 | txRunner.doInTransaction(em -> { 51 | Phone phone = em.find(Phone.class, phoneId); 52 | assertThat(phone.getPhoneNumber()).isEqualTo(expectedPhoneNumber); 53 | }); 54 | assertThat(QueryCountHolder.getGrandTotal().getInsert()).isEqualTo(1); 55 | assertThat(QueryCountHolder.getGrandTotal().getSelect()).isEqualTo(2); 56 | assertThat(QueryCountHolder.getGrandTotal().getUpdate()).isEqualTo(0); 57 | } 58 | 59 | @Test 60 | public void testUpdateWorks() { 61 | String oldPhoneNumber = "0987654321"; 62 | String expectedPhoneNumber = "00361234567"; 63 | // Persisting a phone entity through JPA, this should decrypt the phone number column 64 | UUID phoneId = txRunner.doInTransaction(em -> { 65 | Phone newPhone = new Phone(oldPhoneNumber); 66 | em.persist(newPhone); 67 | return newPhone.getId(); 68 | }); 69 | 70 | // Checks if the database has the phone number value in an encrypted form 71 | txRunner.doInTransaction(em -> { 72 | Query query = em.createNativeQuery("SELECT phone_number FROM Phone where id = :phoneId"); 73 | query.setParameter("phoneId", phoneId); 74 | String nativePhoneNumber = (String) query.getSingleResult(); 75 | assertThat(nativePhoneNumber).isNotEqualTo(oldPhoneNumber); 76 | }); 77 | 78 | // Update the phone number 79 | txRunner.doInTransaction(em -> { 80 | Phone phone = em.find(Phone.class, phoneId); 81 | phone.setPhoneNumber(expectedPhoneNumber); 82 | }); 83 | 84 | // Checks if the database has the phone number value in an encrypted form 85 | txRunner.doInTransaction(em -> { 86 | Query query = em.createNativeQuery("SELECT phone_number FROM Phone where id = :phoneId"); 87 | query.setParameter("phoneId", phoneId); 88 | String nativePhoneNumber = (String) query.getSingleResult(); 89 | assertThat(nativePhoneNumber).isNotEqualTo(expectedPhoneNumber); 90 | }); 91 | 92 | // Checks if the decryption happened automatically when getting the row through JPA 93 | txRunner.doInTransaction(em -> { 94 | Phone phone = em.find(Phone.class, phoneId); 95 | assertThat(phone.getPhoneNumber()).isEqualTo(expectedPhoneNumber); 96 | }); 97 | assertThat(QueryCountHolder.getGrandTotal().getInsert()).isEqualTo(1); 98 | assertThat(QueryCountHolder.getGrandTotal().getSelect()).isEqualTo(4); 99 | assertThat(QueryCountHolder.getGrandTotal().getUpdate()).isEqualTo(1); 100 | } 101 | 102 | @Test 103 | public void testNullWorks() { 104 | // Persisting a phone entity with a null field value 105 | UUID phoneId = txRunner.doInTransaction(em -> { 106 | Phone newPhone = new Phone(null); 107 | em.persist(newPhone); 108 | return newPhone.getId(); 109 | }); 110 | 111 | // Checks if the database has the null value 112 | txRunner.doInTransaction(em -> { 113 | Query query = em.createNativeQuery("SELECT phone_number FROM Phone where id = :phoneId"); 114 | query.setParameter("phoneId", phoneId); 115 | String nativePhoneNumber = (String) query.getSingleResult(); 116 | assertThat(nativePhoneNumber).isNull(); 117 | }); 118 | 119 | // Checks if the decryption handles null value from db 120 | txRunner.doInTransaction(em -> { 121 | Phone phone = em.find(Phone.class, phoneId); 122 | assertThat(phone.getPhoneNumber()).isNull(); 123 | }); 124 | } 125 | } 126 | --------------------------------------------------------------------------------