BestHub
search
Sign in
Information Security 12 min read

Master Data Desensitization in Java with Hutool: From Basics to Annotations

This article explains data desensitization concepts, common masking rules, and demonstrates how to use the Hutool library and Jackson annotations in Java to mask sensitive fields such as IDs, phone numbers, and passwords, while also comparing alternative tools.

JD Cloud Developers
JD Cloud Developers
JD Cloud Developers
Master Data Desensitization in Java with Hutool: From Basics to Annotations

1.1 Definition of Data Desensitization

Data desensitization, as defined by Baidu Baike, is the transformation of sensitive information using masking rules to protect privacy, allowing safe use of realistic data in development, testing, and outsourced environments. It covers IDs, phone numbers, card numbers, etc., and is a database security technique.

1.2 Common Masking Rules

Typical rules include replacement, reordering, encryption, truncation, and masking. For example, a mask can keep the first few digits of an ID and replace the rest with “X” or “*”. Names can be pseudonymized.

2. Hutool Tool Introduction

2.1 Adding Maven Dependency

<code>&lt;dependency&gt;
    &lt;groupId&gt;cn.hutool&lt;/groupId&gt;
    &lt;artifactId&gt;hutool-all&lt;/artifactId&gt;
    &lt;version&gt;5.8.16&lt;/version&gt;
&lt;/dependency&gt;
</code>

Hutool 5.x requires JDK 8+. The desensitization utilities are available from version 5.6 onward.

2.2 Components Included in Hutool

Hutool wraps many JDK utilities (file, stream, encryption, regex, XML, etc.) into convenient Util classes. The desensitization functions reside in the

hutool.core

module.

2.3 Supported Desensitization Types

User ID

Chinese name

ID card number

Fixed phone

Mobile phone

Address

Email

Password

Chinese mainland car license

Bank card

3. Practical Use of Hutool

3.1 One‑line Desensitization with Hutool

Example test code demonstrates masking of phone numbers, bank cards, ID numbers, and passwords using

DesensitizedUtil

.

<code>import cn.hutool.core.util.DesensitizedUtil;
import org.junit.Test;
import org.springframework.boot.test.context.SpringBootTest;

@SpringBootTest
public class HuToolDesensitizationTest {

    @Test
    public void testPhoneDesensitization() {
        String phone = "13723231234";
        System.out.println(DesensitizedUtil.mobilePhone(phone)); // 137****1234
    }

    @Test
    public void testBankCardDesensitization() {
        String bankCard = "6217000130008255666";
        System.out.println(DesensitizedUtil.bankCard(bankCard)); // 6217 **** **** *** 5666
    }

    @Test
    public void testIdCardNumDesensitization() {
        String idCardNum = "411021199901102321";
        System.out.println(DesensitizedUtil.idCardNum(idCardNum, 4, 2)); // 4110************21
    }

    @Test
    public void testPasswordDesensitization() {
        String password = "www.jd.com_35711";
        System.out.println(DesensitizedUtil.password(password)); // ****************
    }
}
</code>

3.2 Annotation‑Based Desensitization with Jackson

Define an enum

DesensitizationTypeEnum

for supported types, create a

@Desensitization

annotation, and implement a custom

JsonSerializer

(

DesensitizationSerialize

) that applies the appropriate

DesensitizedUtil

method based on the annotation.

<code>public enum DesensitizationTypeEnum {
    MY_RULE, USER_ID, CHINESE_NAME, ID_CARD, FIXED_PHONE,
    MOBILE_PHONE, ADDRESS, EMAIL, PASSWORD, CAR_LICENSE, BANK_CARD
}
</code>

Annotation definition:

<code>@Target(ElementType.FIELD)
@Retention(RetentionPolicy.RUNTIME)
@JacksonAnnotationsInside
@JsonSerialize(using = DesensitizationSerialize.class)
public @interface Desensitization {
    DesensitizationTypeEnum type() default DesensitizationTypeEnum.MY_RULE;
    int startInclude() default 0;
    int endExclude() default 0;
}
</code>

The serializer selects the masking strategy and writes the masked string.

3.3 Applying the Annotation

Example POJO and controller demonstrate automatic masking of fields such as phone, password, and address when the object is serialized to JSON.

<code>@Data
@NoArgsConstructor
@AllArgsConstructor
public class TestPojo {
    private String userName;

    @Desensitization(type = DesensitizationTypeEnum.MOBILE_PHONE)
    private String phone;

    @Desensitization(type = DesensitizationTypeEnum.PASSWORD)
    private String password;

    @Desensitization(type = DesensitizationTypeEnum.MY_RULE, startInclude = 0, endExclude = 2)
    private String address;
}
</code>

4. Other Common Desensitization Tools

4.1 Apache ShardingSphere

Provides a SQL‑level desensitization module that rewrites queries based on configured rules.

4.2 FastJSON

Supports annotation‑based or filter‑based masking by implementing custom serializers.

4.3 Mybatis‑mate

Offers a desensitization plugin that requires a license configuration.

5. Summary

The article introduced the concept of data desensitization, common masking rules, and detailed usage of the Hutool library, including one‑line utilities and annotation‑driven masking with Jackson. It also listed alternative tools such as ShardingSphere, FastJSON, and Mybatis‑mate for various scenarios.

JavaSpring BootsecurityHutoolJacksondata desensitizationmasking
JD Cloud Developers
Written by

JD Cloud Developers

JD Cloud Developers (Developer of JD Technology) is a JD Technology Group platform offering technical sharing and communication for AI, cloud computing, IoT and related developers. It publishes JD product technical information, industry content, and tech event news. Embrace technology and partner with developers to envision the future.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment