Design and Implementation of Secure Data Transmission in Spring Boot Using AES/RSA Encryption

Secure data transmission between the front‑end and back‑end is essential for web applications. This article describes a design that combines symmetric AES encryption, asymmetric RSA encryption, and a hybrid approach where AES encrypts the payload and RSA encrypts the AES key.

The AESUtil class provides methods for generating random AES keys, encrypting/decrypting byte arrays, and converting between Base64 and hexadecimal representations. The RSAUtil class offers RSA key‑pair generation, public‑key encryption, private‑key decryption, and utilities for Base64/hex conversions.

To read the request body multiple times, a custom RequestWrapper extends HttpServletRequestWrapper , copies the input stream, and overrides getInputStream() and getReader() . It also stores additional parameters in a map, allowing decrypted data to be accessed via getParameter() and related methods.

A DecryptReplaceStreamFilter checks the aksEncrypt header to determine if decryption is required. For POST requests it reads the JSON body, extracts the Base64‑encoded payload and RSA‑encrypted AES key, decrypts the AES key with the server’s private RSA key, then decrypts the payload with AES and rewrites the request body. For GET requests it retrieves the encrypted query parameter, decrypts the RSA‑encrypted AES key from the header, converts the hex‑encoded payload to bytes, and decrypts it with AES, placing the resulting parameters into the wrapper’s map.

Response encryption is enabled via a custom @ResponseEncrypt annotation. An AOP aspect ResponseEncryptAop intercepts methods annotated with this annotation, obtains the AES key from the request, encrypts the method’s return value using AESUtil.encryptToBase64 , and wraps the encrypted string in a standard response object.

The article also includes test entities, controller examples, and a JUnit test class that demonstrates generating keys, encrypting request data, and verifying the full encryption‑decryption cycle for both POST and GET scenarios.