λab's Blog

Programming::Java

ToStringBuilder#reflectionToStringを拡張してフィールド値を暗号化する

ToStringBuilder#reflectionToStringは便利だし、ログ出力に使うこともよくあるけど、HTTPリクエスト情報のパスワードとか生で出力しちゃうとセキュリティ的に問題。 とかいって毎回パスワードだけ手動で暗号化処理をして出力させるってのも面倒くさいし、保守性も悪い。
ということで暗号化したいフィールドはアノテーションをつけて暗号化するようにすれば楽そう。ToStringBuilderをいじる。

Crypt.java

package am.ik.util.crypt.annotation;

import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;

@Retention(RetentionPolicy.RUNTIME)
public @interface Crypt {
    // 暗号化処理クラスをここで指定できるようにしたら良さそう
}

CryptReflectionToStringBuilder.java

package am.ik.util.crypt;

import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Field;

import org.apache.commons.lang.builder.ReflectionToStringBuilder;
import org.apache.commons.lang.builder.ToStringStyle;

import am.ik.util.crypt.annotation.Crypt;

public class CryptReflectionToStringBuilder extends ReflectionToStringBuilder {

	@SuppressWarnings("unchecked")
	public CryptReflectionToStringBuilder(Object object, ToStringStyle style,
			StringBuffer buffer, Class reflectUpToClass,
			boolean outputTransients, boolean outputStatics) {
		super(object, style, buffer, reflectUpToClass, outputTransients,
				outputStatics);
	}

	@SuppressWarnings("unchecked")
	@Override
	protected void appendFieldsIn(Class clazz) {
		// ReflectionToStringBuilder#appendFieldsInのコピペ...
		if (clazz.isArray()) {
			this.reflectionAppendArray(this.getObject());
			return;
		}

		Field[] fields = clazz.getDeclaredFields();
		AccessibleObject.setAccessible(fields, true);

		for (Field field : fields) {
			String fieldName = field.getName();
			if (this.accept(field)) {
				try {
					Object fieldValue = this.getValue(field);
					Crypt crypt = field.getAnnotation(Crypt.class);
					if (crypt != null) {
						// ここで適当な暗号化処理を行う
						fieldValue = "****";
					}
					this.append(fieldName, fieldValue);
				} catch (IllegalAccessException ex) {
					throw new InternalError(
							"Unexpected IllegalAccessException: "
									+ ex.getMessage());
				}
			}
		}
	}
}

CryptToStringBuilder.java

package am.ik.util.crypt;

import org.apache.commons.lang.builder.ToStringBuilder;
import org.apache.commons.lang.builder.ToStringStyle;

public class CryptToStringBuilder extends ToStringBuilder {
	public CryptToStringBuilder(Object object, ToStringStyle style,
			StringBuffer buffer) {
		super(object, style, buffer);
	}

	public static String reflectionToString(Object object) {
		return new CryptReflectionToStringBuilder(object, null, null, null,
				false, false).toString();
	}
}

出力例

public class CryptToStringBuilderTest {
	public static class Hoge {
		private final String name;
		@Crypt
		private final String password;

		public Hoge(String name, String password) {
			super();
			this.name = name;
			this.password = password;
		}

		public String getName() {
			return name;
		}

		public String getPassword() {
			return password;
		}

	}

	@Test
	public void test() {
		Hoge hoge = new Hoge("foo", "bar");
		System.out.println(CryptToStringBuilder.reflectionToString(hoge));
	}
}

出力すると

am.ik.util.crypt.CryptToStringBuilderTest$Hoge@2c64f6cd[name=foo,password=****]

Created at : 2010-01-31 20:22:59   Updated at : 2010-01-31 20:25:15
Category : Programming::Java

powered by ver 0.1.0 on