From 2cad35f3610a99566876c5bc35c94de8041af9ec Mon Sep 17 00:00:00 2001
From: YunaiV <zhijiantianya@gmail.com>
Date: Sat, 16 Aug 2025 15:57:47 +0800
Subject: [PATCH] =?UTF-8?q?feat=EF=BC=9A=E3=80=90framework=20=E6=A1=86?=
 =?UTF-8?q?=E6=9E=B6=E3=80=91=E5=A2=9E=E5=8A=A0=20api=20=E5=8A=A0=E8=A7=A3?=
 =?UTF-8?q?=E5=AF=86=E8=83=BD=E5=8A=9B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../common/enums/WebFilterOrderEnum.java      |   2 +
 .../encrypt/config/ApiEncryptProperties.java  |  70 ++++++++
 .../YudaoApiEncryptAutoConfiguration.java     |  34 ++++
 .../encrypt/core/annotation/ApiEncrypt.java   |  23 +++
 .../core/filter/ApiDecryptRequestWrapper.java |  86 ++++++++++
 .../encrypt/core/filter/ApiEncryptFilter.java | 152 ++++++++++++++++++
 .../filter/ApiEncryptResponseWrapper.java     | 109 +++++++++++++
 .../yudao/framework/encrypt/package-info.java |   4 +
 .../core/filter/CacheRequestBodyWrapper.java  |  17 +-
 ...ot.autoconfigure.AutoConfiguration.imports |   3 +-
 .../framework/encrypt/ApiEncryptTest.java     |  86 ++++++++++
 .../controller/admin/auth/AuthController.http |  18 +++
 .../src/main/resources/application.yaml       |   7 +
 13 files changed, 606 insertions(+), 5 deletions(-)
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/ApiEncryptProperties.java
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/YudaoApiEncryptAutoConfiguration.java
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/annotation/ApiEncrypt.java
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiDecryptRequestWrapper.java
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptFilter.java
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptResponseWrapper.java
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/package-info.java
 create mode 100644 yudao-framework/yudao-spring-boot-starter-web/src/test/java/cn/iocoder/yudao/framework/encrypt/ApiEncryptTest.java

diff --git a/yudao-framework/yudao-common/src/main/java/cn/iocoder/yudao/framework/common/enums/WebFilterOrderEnum.java b/yudao-framework/yudao-common/src/main/java/cn/iocoder/yudao/framework/common/enums/WebFilterOrderEnum.java
index 11a5ee0782..497a213a2f 100644
--- a/yudao-framework/yudao-common/src/main/java/cn/iocoder/yudao/framework/common/enums/WebFilterOrderEnum.java
+++ b/yudao-framework/yudao-common/src/main/java/cn/iocoder/yudao/framework/common/enums/WebFilterOrderEnum.java
@@ -15,6 +15,8 @@ public interface WebFilterOrderEnum {
 
     int REQUEST_BODY_CACHE_FILTER = Integer.MIN_VALUE + 500;
 
+    int API_ENCRYPT_FILTER = REQUEST_BODY_CACHE_FILTER + 1;
+
     // OrderedRequestContextFilter 默认为 -105，用于国际化上下文等等
 
     int TENANT_CONTEXT_FILTER = - 104; // 需要保证在 ApiAccessLogFilter 前面
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/ApiEncryptProperties.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/ApiEncryptProperties.java
new file mode 100644
index 0000000000..135eb85bb0
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/ApiEncryptProperties.java
@@ -0,0 +1,70 @@
+package cn.iocoder.yudao.framework.encrypt.config;
+
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.validation.annotation.Validated;
+
+/**
+ * HTTP API 加解密配置
+ *
+ * @author 芋道源码
+ */
+@ConfigurationProperties(prefix = "yudao.api-encrypt")
+@Validated
+@Data
+public class ApiEncryptProperties {
+
+    /**
+     * 是否开启
+     */
+    @NotNull(message = "是否开启不能为空")
+    private Boolean enable;
+
+    /**
+     * 请求头（响应头）名称
+     *
+     * 1. 如果该请求头非空，则表示请求参数已被「前端」加密，「后端」需要解密
+     * 2. 如果该响应头非空，则表示响应结果已被「后端」加密，「前端」需要解密
+     */
+    @NotEmpty(message = "请求头（响应头）名称不能为空")
+    private String header = "X-Api-Encrypt";
+
+    /**
+     * 对称加密算法，用于请求/响应的加解密
+     *
+     * 目前支持
+     * 【对称加密】：
+     *      1. {@link cn.hutool.crypto.symmetric.SymmetricAlgorithm#AES}
+     *      2. {@link cn.hutool.crypto.symmetric.SM4#ALGORITHM_NAME} （需要自己二次开发，成本低）
+     * 【非对称加密】
+     *      1. {@link cn.hutool.crypto.asymmetric.AsymmetricAlgorithm#RSA}
+     *      2. {@link cn.hutool.crypto.asymmetric.SM2} （需要自己二次开发，成本低）
+     *
+     * @see <a href="https://help.aliyun.com/zh/ssl-certificate/what-are-a-public-key-and-a-private-key">什么是公钥和私钥？</a>
+     */
+    @NotEmpty(message = "对称加密算法不能为空")
+    private String algorithm;
+
+    /**
+     * 请求的解密密钥
+     *
+     * 注意：
+     * 1. 如果是【对称加密】时，它「后端」对应的是“密钥”。对应的，「前端」也对应的也是“密钥”。
+     * 2. 如果是【非对称加密】时，它「后端」对应的是“私钥”。对应的，「前端」对应的是“公钥”。（重要！！！）
+     */
+    @NotEmpty(message = "请求的解密密钥不能为空")
+    private String requestKey;
+
+    /**
+     * 响应的加密密钥
+     *
+     * 注意：
+     * 1. 如果是【对称加密】时，它「后端」对应的是“密钥”。对应的，「前端」也对应的也是“密钥”。
+     * 2. 如果是【非对称加密】时，它「后端」对应的是“公钥”。对应的，「前端」对应的是“私钥”。（重要！！！）
+     */
+    @NotEmpty(message = "响应的加密密钥不能为空")
+    private String responseKey;
+
+}
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/YudaoApiEncryptAutoConfiguration.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/YudaoApiEncryptAutoConfiguration.java
new file mode 100644
index 0000000000..03d0f1ac12
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/config/YudaoApiEncryptAutoConfiguration.java
@@ -0,0 +1,34 @@
+package cn.iocoder.yudao.framework.encrypt.config;
+
+import cn.iocoder.yudao.framework.common.enums.WebFilterOrderEnum;
+import cn.iocoder.yudao.framework.encrypt.core.filter.ApiEncryptFilter;
+import cn.iocoder.yudao.framework.web.config.WebProperties;
+import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
+
+import static cn.iocoder.yudao.framework.web.config.YudaoWebAutoConfiguration.createFilterBean;
+
+@AutoConfiguration
+@Slf4j
+@EnableConfigurationProperties(ApiEncryptProperties.class)
+@ConditionalOnProperty(prefix = "yudao.api-encrypt", name = "enable", havingValue = "true")
+public class YudaoApiEncryptAutoConfiguration {
+
+    @Bean
+    public FilterRegistrationBean<ApiEncryptFilter> apiEncryptFilter(WebProperties webProperties,
+                                                                     ApiEncryptProperties apiEncryptProperties,
+                                                                     RequestMappingHandlerMapping requestMappingHandlerMapping,
+                                                                     GlobalExceptionHandler globalExceptionHandler) {
+        ApiEncryptFilter filter = new ApiEncryptFilter(webProperties, apiEncryptProperties,
+                requestMappingHandlerMapping, globalExceptionHandler);
+        return createFilterBean(filter, WebFilterOrderEnum.API_ENCRYPT_FILTER);
+
+    }
+
+}
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/annotation/ApiEncrypt.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/annotation/ApiEncrypt.java
new file mode 100644
index 0000000000..7405111038
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/annotation/ApiEncrypt.java
@@ -0,0 +1,23 @@
+package cn.iocoder.yudao.framework.encrypt.core.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * HTTP API 加解密注解
+ */
+@Documented
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ApiEncrypt {
+
+    /**
+     * 是否对请求参数进行解密，默认 true
+     */
+    boolean request() default true;
+
+    /**
+     * 是否对响应结果进行加密，默认 true
+     */
+    boolean response() default true;
+
+}
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiDecryptRequestWrapper.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiDecryptRequestWrapper.java
new file mode 100644
index 0000000000..b9f015a7ec
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiDecryptRequestWrapper.java
@@ -0,0 +1,86 @@
+package cn.iocoder.yudao.framework.encrypt.core.filter;
+
+import cn.hutool.core.io.IoUtil;
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.crypto.asymmetric.AsymmetricDecryptor;
+import cn.hutool.crypto.asymmetric.KeyType;
+import cn.hutool.crypto.symmetric.SymmetricDecryptor;
+import jakarta.servlet.ReadListener;
+import jakarta.servlet.ServletInputStream;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequestWrapper;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+/**
+ * 解密请求 {@link HttpServletRequestWrapper} 实现类
+ *
+ * @author 芋道源码
+ */
+public class ApiDecryptRequestWrapper extends HttpServletRequestWrapper {
+
+    private final byte[] body;
+
+    public ApiDecryptRequestWrapper(HttpServletRequest request,
+                                    SymmetricDecryptor symmetricDecryptor,
+                                    AsymmetricDecryptor asymmetricDecryptor) throws IOException {
+        super(request);
+        // 读取 body，允许 HEX、BASE64 传输
+        String requestBody = StrUtil.utf8Str(
+                IoUtil.readBytes(request.getInputStream(), false));
+
+        // 解密 body
+        body = symmetricDecryptor != null ? symmetricDecryptor.decrypt(requestBody)
+                : asymmetricDecryptor.decrypt(requestBody, KeyType.PrivateKey);
+    }
+
+    @Override
+    public BufferedReader getReader() {
+        return new BufferedReader(new InputStreamReader(this.getInputStream()));
+    }
+
+    @Override
+    public int getContentLength() {
+        return body.length;
+    }
+
+    @Override
+    public long getContentLengthLong() {
+        return body.length;
+    }
+
+    @Override
+    public ServletInputStream getInputStream() {
+        ByteArrayInputStream stream = new ByteArrayInputStream(body);
+        return new ServletInputStream() {
+
+            @Override
+            public int read() {
+                return stream.read();
+            }
+
+            @Override
+            public int available() {
+                return body.length;
+            }
+
+            @Override
+            public boolean isFinished() {
+                return false;
+            }
+
+            @Override
+            public boolean isReady() {
+                return false;
+            }
+
+            @Override
+            public void setReadListener(ReadListener readListener) {
+            }
+
+        };
+    }
+}
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptFilter.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptFilter.java
new file mode 100644
index 0000000000..e6d03ba32b
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptFilter.java
@@ -0,0 +1,152 @@
+package cn.iocoder.yudao.framework.encrypt.core.filter;
+
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.crypto.SecureUtil;
+import cn.hutool.crypto.asymmetric.AsymmetricDecryptor;
+import cn.hutool.crypto.asymmetric.AsymmetricEncryptor;
+import cn.hutool.crypto.symmetric.SymmetricDecryptor;
+import cn.hutool.crypto.symmetric.SymmetricEncryptor;
+import cn.iocoder.yudao.framework.common.pojo.CommonResult;
+import cn.iocoder.yudao.framework.common.util.object.ObjectUtils;
+import cn.iocoder.yudao.framework.common.util.servlet.ServletUtils;
+import cn.iocoder.yudao.framework.encrypt.config.ApiEncryptProperties;
+import cn.iocoder.yudao.framework.encrypt.core.annotation.ApiEncrypt;
+import cn.iocoder.yudao.framework.web.config.WebProperties;
+import cn.iocoder.yudao.framework.web.core.filter.ApiRequestFilter;
+import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpMethod;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.HandlerExecutionChain;
+import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
+
+import java.io.IOException;
+
+import static cn.iocoder.yudao.framework.common.exception.util.ServiceExceptionUtil.invalidParamException;
+
+/**
+ * API 加密过滤器，处理 {@link ApiEncrypt} 注解。
+ *
+ * 1. 解密请求参数
+ * 2. 加密响应结果
+ *
+ * 疑问：为什么不使用 SpringMVC 的 RequestBodyAdvice 或 ResponseBodyAdvice 机制呢？
+ * 回答：考虑到项目中会记录访问日志、异常日志，以及 HTTP API 签名等场景，最好是全局级、且提前做解析！！！
+ *
+ * @author 芋道源码
+ */
+@Slf4j
+public class ApiEncryptFilter extends ApiRequestFilter {
+
+    private final ApiEncryptProperties apiEncryptProperties;
+
+    private final RequestMappingHandlerMapping requestMappingHandlerMapping;
+
+    private final GlobalExceptionHandler globalExceptionHandler;
+
+    private final SymmetricDecryptor requestSymmetricDecryptor;
+    private final AsymmetricDecryptor requestAsymmetricDecryptor;
+
+    private final SymmetricEncryptor responseSymmetricEncryptor;
+    private final AsymmetricEncryptor responseAsymmetricEncryptor;
+
+    public ApiEncryptFilter(WebProperties webProperties,
+                            ApiEncryptProperties apiEncryptProperties,
+                            RequestMappingHandlerMapping requestMappingHandlerMapping,
+                            GlobalExceptionHandler globalExceptionHandler) {
+        super(webProperties);
+        this.apiEncryptProperties = apiEncryptProperties;
+        this.requestMappingHandlerMapping = requestMappingHandlerMapping;
+        this.globalExceptionHandler = globalExceptionHandler;
+        if (StrUtil.equalsIgnoreCase(apiEncryptProperties.getAlgorithm(), "AES")) {
+            this.requestSymmetricDecryptor = SecureUtil.aes(StrUtil.utf8Bytes(apiEncryptProperties.getRequestKey()));
+            this.requestAsymmetricDecryptor = null;
+            this.responseSymmetricEncryptor = SecureUtil.aes(StrUtil.utf8Bytes(apiEncryptProperties.getResponseKey()));
+            this.responseAsymmetricEncryptor = null;
+        } else if (StrUtil.equalsIgnoreCase(apiEncryptProperties.getAlgorithm(), "RSA")) {
+            this.requestSymmetricDecryptor = null;
+            this.requestAsymmetricDecryptor = SecureUtil.rsa(apiEncryptProperties.getRequestKey(), null);
+            this.responseSymmetricEncryptor = null;
+            this.responseAsymmetricEncryptor = SecureUtil.rsa(null, apiEncryptProperties.getResponseKey());
+        } else {
+            // 补充说明：如果要支持 SM2、SM4 等算法，可在此处增加对应实例的创建，并添加相应的 Maven 依赖即可。
+            throw new IllegalArgumentException("不支持的加密算法：" + apiEncryptProperties.getAlgorithm());
+        }
+    }
+
+    @Override
+    @SuppressWarnings("NullableProblems")
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+            throws ServletException, IOException {
+        // 获取 @ApiEncrypt 注解
+        ApiEncrypt apiEncrypt = getApiEncrypt(request);
+        boolean requestEnable = apiEncrypt != null && apiEncrypt.request();
+        boolean responseEnable = apiEncrypt != null && apiEncrypt.response();
+        String encryptHeader = request.getHeader(apiEncryptProperties.getHeader());
+        if (!requestEnable && !responseEnable && StrUtil.isBlank(encryptHeader))  {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        // 1. 解密请求
+        if (ObjectUtils.equalsAny(HttpMethod.valueOf(request.getMethod()),
+                HttpMethod.POST, HttpMethod.PUT, HttpMethod.DELETE)) {
+            try {
+                if (StrUtil.isNotBlank(encryptHeader)) {
+                    request = new ApiDecryptRequestWrapper(request,
+                            requestSymmetricDecryptor, requestAsymmetricDecryptor);
+                } else if (requestEnable) {
+                    throw invalidParamException("请求未包含加密标头，请检查是否正确配置了加密标头");
+                }
+            } catch (Exception ex) {
+                CommonResult<?> result = globalExceptionHandler.allExceptionHandler(request, ex);
+                ServletUtils.writeJSON(response, result);
+                return;
+            }
+        }
+
+        // 2. 执行过滤器链
+        if (responseEnable) {
+            // 特殊：仅包装，最后执行。目的：Response 内容可以被重复读取！！！
+            response = new ApiEncryptResponseWrapper(response);
+        }
+        chain.doFilter(request, response);
+
+        // 3. 加密响应（真正执行）
+        if (responseEnable) {
+            ((ApiEncryptResponseWrapper) response).encrypt(apiEncryptProperties,
+                    responseSymmetricEncryptor, responseAsymmetricEncryptor);
+        }
+    }
+
+    /**
+     * 获取 @ApiEncrypt 注解
+     *
+     * @param request 请求
+     */
+    private ApiEncrypt getApiEncrypt(HttpServletRequest request) {
+        try {
+            HandlerExecutionChain mappingHandler = requestMappingHandlerMapping.getHandler(request);
+            if (mappingHandler == null) {
+                return null;
+            }
+            Object handler = mappingHandler.getHandler();
+            if (handler instanceof HandlerMethod handlerMethod) {
+                ApiEncrypt annotation = handlerMethod.getMethodAnnotation(ApiEncrypt.class);
+                if (annotation == null) {
+                    annotation = handlerMethod.getBeanType().getAnnotation(ApiEncrypt.class);
+                }
+                return annotation;
+            }
+        } catch (Exception e) {
+            log.error("[getApiEncrypt][url({}/{}) 获取 @ApiEncrypt 注解失败]",
+                    request.getRequestURI(), request.getMethod(), e);
+        }
+        return null;
+    }
+
+}
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptResponseWrapper.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptResponseWrapper.java
new file mode 100644
index 0000000000..fed38917b9
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/core/filter/ApiEncryptResponseWrapper.java
@@ -0,0 +1,109 @@
+package cn.iocoder.yudao.framework.encrypt.core.filter;
+
+import cn.hutool.crypto.asymmetric.AsymmetricEncryptor;
+import cn.hutool.crypto.asymmetric.KeyType;
+import cn.hutool.crypto.symmetric.SymmetricEncryptor;
+import cn.iocoder.yudao.framework.encrypt.config.ApiEncryptProperties;
+import jakarta.servlet.ServletOutputStream;
+import jakarta.servlet.WriteListener;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletResponseWrapper;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.io.PrintWriter;
+
+/**
+ * 加密响应 {@link HttpServletResponseWrapper} 实现类
+ *
+ * @author 芋道源码
+ */
+public class ApiEncryptResponseWrapper extends HttpServletResponseWrapper {
+
+    private final ByteArrayOutputStream byteArrayOutputStream;
+    private final ServletOutputStream servletOutputStream;
+    private final PrintWriter printWriter;
+
+    public ApiEncryptResponseWrapper(HttpServletResponse response) {
+        super(response);
+        this.byteArrayOutputStream = new ByteArrayOutputStream();
+        this.servletOutputStream = this.getOutputStream();
+        this.printWriter = new PrintWriter(new OutputStreamWriter(byteArrayOutputStream));
+    }
+
+    public void encrypt(ApiEncryptProperties properties,
+                        SymmetricEncryptor symmetricEncryptor,
+                        AsymmetricEncryptor asymmetricEncryptor) throws IOException {
+        // 1.1 清空 body
+        HttpServletResponse response = (HttpServletResponse) this.getResponse();
+        response.resetBuffer();
+        // 1.2 获取 body
+        this.flushBuffer();
+        byte[] body = byteArrayOutputStream.toByteArray();
+
+        // 2. 加密 body
+        String encryptedBody = symmetricEncryptor != null ? symmetricEncryptor.encryptBase64(body)
+                : asymmetricEncryptor.encryptBase64(body, KeyType.PublicKey);
+        response.getWriter().write(encryptedBody);
+
+        // 3. 添加加密 header 标识
+        this.addHeader(properties.getHeader(), "true");
+        // 特殊：特殊：https://juejin.cn/post/6867327674675625992
+        this.addHeader("Access-Control-Expose-Headers", properties.getHeader());
+    }
+
+    @Override
+    public PrintWriter getWriter() {
+        return printWriter;
+    }
+
+    @Override
+    public void flushBuffer() throws IOException {
+        if (servletOutputStream != null) {
+            servletOutputStream.flush();
+        }
+        if (printWriter != null) {
+            printWriter.flush();
+        }
+    }
+
+    @Override
+    public void reset() {
+        byteArrayOutputStream.reset();
+    }
+
+    @Override
+    public ServletOutputStream getOutputStream() {
+        return new ServletOutputStream() {
+
+            @Override
+            public boolean isReady() {
+                return false;
+            }
+
+            @Override
+            public void setWriteListener(WriteListener writeListener) {
+            }
+
+            @Override
+            public void write(int b) {
+                byteArrayOutputStream.write(b);
+            }
+
+            @Override
+            @SuppressWarnings("NullableProblems")
+            public void write(byte[] b) throws IOException {
+                byteArrayOutputStream.write(b);
+            }
+
+            @Override
+            @SuppressWarnings("NullableProblems")
+            public void write(byte[] b, int off, int len) {
+                byteArrayOutputStream.write(b, off, len);
+            }
+
+        };
+    }
+
+}
\ No newline at end of file
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/package-info.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/package-info.java
new file mode 100644
index 0000000000..ca08197125
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/encrypt/package-info.java
@@ -0,0 +1,4 @@
+/**
+ * HTTP API 加密组件：支持 Request 和 Response 的加密、解密
+ */
+package cn.iocoder.yudao.framework.encrypt;
\ No newline at end of file
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/web/core/filter/CacheRequestBodyWrapper.java b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/web/core/filter/CacheRequestBodyWrapper.java
index 8e80fa591f..b5f38d96fd 100644
--- a/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/web/core/filter/CacheRequestBodyWrapper.java
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/java/cn/iocoder/yudao/framework/web/core/filter/CacheRequestBodyWrapper.java
@@ -1,14 +1,13 @@
 package cn.iocoder.yudao.framework.web.core.filter;
 
 import cn.iocoder.yudao.framework.common.util.servlet.ServletUtils;
-
 import jakarta.servlet.ReadListener;
 import jakarta.servlet.ServletInputStream;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletRequestWrapper;
+
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
-import java.io.IOException;
 import java.io.InputStreamReader;
 
 /**
@@ -29,12 +28,22 @@ public class CacheRequestBodyWrapper extends HttpServletRequestWrapper {
     }
 
     @Override
-    public BufferedReader getReader() throws IOException {
+    public BufferedReader getReader() {
         return new BufferedReader(new InputStreamReader(this.getInputStream()));
     }
 
     @Override
-    public ServletInputStream getInputStream() throws IOException {
+    public int getContentLength() {
+        return body.length;
+    }
+
+    @Override
+    public long getContentLengthLong() {
+        return body.length;
+    }
+
+    @Override
+    public ServletInputStream getInputStream() {
         final ByteArrayInputStream inputStream = new ByteArrayInputStream(body);
         // 返回 ServletInputStream
         return new ServletInputStream() {
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/yudao-framework/yudao-spring-boot-starter-web/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
index 9cdcd09c4e..07a7955c34 100644
--- a/yudao-framework/yudao-spring-boot-starter-web/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
@@ -3,4 +3,5 @@ cn.iocoder.yudao.framework.jackson.config.YudaoJacksonAutoConfiguration
 cn.iocoder.yudao.framework.swagger.config.YudaoSwaggerAutoConfiguration
 cn.iocoder.yudao.framework.web.config.YudaoWebAutoConfiguration
 cn.iocoder.yudao.framework.xss.config.YudaoXssAutoConfiguration
-cn.iocoder.yudao.framework.banner.config.YudaoBannerAutoConfiguration
\ No newline at end of file
+cn.iocoder.yudao.framework.banner.config.YudaoBannerAutoConfiguration
+cn.iocoder.yudao.framework.encrypt.config.YudaoApiEncryptAutoConfiguration
\ No newline at end of file
diff --git a/yudao-framework/yudao-spring-boot-starter-web/src/test/java/cn/iocoder/yudao/framework/encrypt/ApiEncryptTest.java b/yudao-framework/yudao-spring-boot-starter-web/src/test/java/cn/iocoder/yudao/framework/encrypt/ApiEncryptTest.java
new file mode 100644
index 0000000000..12d406e5f5
--- /dev/null
+++ b/yudao-framework/yudao-spring-boot-starter-web/src/test/java/cn/iocoder/yudao/framework/encrypt/ApiEncryptTest.java
@@ -0,0 +1,86 @@
+package cn.iocoder.yudao.framework.encrypt;
+
+import cn.hutool.core.util.RandomUtil;
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.crypto.SecureUtil;
+import cn.hutool.crypto.asymmetric.AsymmetricAlgorithm;
+import cn.hutool.crypto.asymmetric.KeyType;
+import cn.hutool.crypto.asymmetric.RSA;
+import cn.hutool.crypto.symmetric.SymmetricAlgorithm;
+import org.junit.jupiter.api.Test;
+
+import java.util.Objects;
+
+/**
+ * 各种 API 加解密的测试类：不是单测，而是方便大家生成密钥、加密、解密等操作。
+ *
+ * @author 芋道源码
+ */
+@SuppressWarnings("ConstantValue")
+public class ApiEncryptTest {
+
+    @Test
+    public void testGenerateAsymmetric() {
+        String asymmetricAlgorithm = AsymmetricAlgorithm.RSA.getValue();
+//        String asymmetricAlgorithm = "SM2";
+//        String asymmetricAlgorithm = SM4.ALGORITHM_NAME;
+//        String asymmetricAlgorithm = SymmetricAlgorithm.AES.getValue();
+        String requestClientKey = null;
+        String requestServerKey = null;
+        String responseClientKey = null;
+        String responseServerKey = null;
+        if (Objects.equals(asymmetricAlgorithm, AsymmetricAlgorithm.RSA.getValue())) {
+            // 请求的密钥
+            RSA requestRsa = SecureUtil.rsa();
+            requestClientKey = requestRsa.getPublicKeyBase64();
+            requestServerKey = requestRsa.getPrivateKeyBase64();
+            // 响应的密钥
+            RSA responseRsa = new RSA();
+            responseClientKey = responseRsa.getPrivateKeyBase64();
+            responseServerKey = responseRsa.getPublicKeyBase64();
+        } else if (Objects.equals(asymmetricAlgorithm, SymmetricAlgorithm.AES.getValue())) {
+            // AES 密钥可选 32、24、16 位
+            // 请求的密钥（前后端密钥一致）
+            requestClientKey = RandomUtil.randomNumbers(32);
+            requestServerKey = requestClientKey;
+            // 响应的密钥（前后端密钥一致）
+            responseClientKey = RandomUtil.randomNumbers(32);
+            responseServerKey = responseClientKey;
+        }
+
+        // 打印结果
+        System.out.println("requestClientKey = " + requestClientKey);
+        System.out.println("requestServerKey = " + requestServerKey);
+        System.out.println("responseClientKey = " + responseClientKey);
+        System.out.println("responseServerKey = " + responseServerKey);
+    }
+
+    @Test
+    public void testEncrypt_aes() {
+        String key = "52549111389893486934626385991395";
+        String body = "{\n" +
+                "  \"username\": \"admin\",\n" +
+                "  \"password\": \"admin123\",\n" +
+                "  \"uuid\": \"3acd87a09a4f48fb9118333780e94883\",\n" +
+                "  \"code\": \"1024\"\n" +
+                "}";
+        String encrypt = SecureUtil.aes(StrUtil.utf8Bytes(key))
+                .encryptBase64(body);
+        System.out.println("encrypt = " + encrypt);
+    }
+
+    @Test
+    public void testEncrypt_rsa() {
+        String key = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCls2rIpnGdYnLFgz1XU13GbNQ5DloyPpvW00FPGjqn5Z6JpK+kDtVlnkhwR87iRrE5Vf2WNqRX6vzbLSgveIQY8e8oqGCb829myjf1MuI+ZzN4ghf/7tEYhZJGPI9AbfxFqBUzm+kR3/HByAI22GLT96WM26QiMK8n3tIP/yiLswIDAQAB";
+        String body = "{\n" +
+                "  \"username\": \"admin\",\n" +
+                "  \"password\": \"admin123\",\n" +
+                "  \"uuid\": \"3acd87a09a4f48fb9118333780e94883\",\n" +
+                "  \"code\": \"1024\"\n" +
+                "}";
+        String encrypt = SecureUtil.rsa(null, key)
+                .encryptBase64(body, KeyType.PublicKey);
+        System.out.println("encrypt = " + encrypt);
+    }
+
+}
diff --git a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http
index f42dfcd030..52a724bf35 100644
--- a/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http
+++ b/yudao-module-system/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http
@@ -11,6 +11,24 @@ tag: Yunai.local
   "code": "1024"
 }
 
+### 请求 /login 接口【加密 AES】 => 成功
+POST {{baseUrl}}/system/auth/login
+Content-Type: application/json
+tenant-id: {{adminTenantId}}
+tag: Yunai.local
+X-API-ENCRYPT: true
+
+WvSX9MOrenyGfBhEM0g1/hHgq8ocktMZ9OwAJ6MOG5FUrzYF/rG5JF1eMptQM1wT73VgDS05l/37WeRtad+JrqChAul/sR/SdOsUKqjBhvvQx1JVhzxr6s8uUP67aKTSZ6Psv7O32ELxXrzSaQvG5CInzz3w6sLtbNNLd1kXe6Q=
+
+### 请求 /login 接口【加密 RSA】 => 成功
+POST {{baseUrl}}/system/auth/login
+Content-Type: application/json
+tenant-id: {{adminTenantId}}
+tag: Yunai.local
+X-API-ENCRYPT: true
+
+e7QZTork9ZV5CmgZvSd+cHZk3xdUxKtowLM02kOha+gxHK2H/daU8nVBYS3+bwuDRy5abf+Pz1QJJGVAEd27wwrXBmupOOA/bhpuzzDwcRuJRD+z+YgiNoEXFDRHERxPYlPqAe9zAHtihD0ceub1AjybQsEsROew4C3Q602XYW0=
+
 ### 请求 /login 接口 => 成功（无验证码)
 POST {{baseUrl}}/system/auth/login
 Content-Type: application/json
diff --git a/yudao-server/src/main/resources/application.yaml b/yudao-server/src/main/resources/application.yaml
index d82d3974a5..1decd79cda 100644
--- a/yudao-server/src/main/resources/application.yaml
+++ b/yudao-server/src/main/resources/application.yaml
@@ -245,6 +245,13 @@ yudao:
   security:
     permit-all_urls:
       - /admin-api/mp/open/** # 微信公众号开放平台，微信回调接口，不需要登录
+  api-encrypt:
+    enable: true # 是否开启 API 加密
+    algorithm: AES # 加密算法，支持 AES、RSA 等
+    request-key: 52549111389893486934626385991395 # 【AES 案例】请求加密的秘钥，，必须 16、24、32 位
+    response-key: 96103715984234343991809655248883 # 【AES 案例】响应加密的秘钥，AES 案例，必须 16、24、32 位
+#    request-key: MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKWzasimcZ1icsWDPVdTXcZs1DkOWjI+m9bTQU8aOqflnomkr6QO1WWeSHBHzuJGsTlV/ZY2pFfq/NstKC94hBjx7yioYJvzb2bKN/Uy4j5nM3iCF//u0RiFkkY8j0Bt/EWoFTOb6RHf8cHIAjbYYtP3pYzbpCIwryfe0g//KIuzAgMBAAECgYADDjZrYcpZjR2xr7RbXmGtzYbyUGXwZEAqa3XaWBD51J2iSyOkAlQEDjGmxGQ3vvb4qDHHadWI+3/TKNeDXJUO+xTVJrnismK5BsHyC6dfxlIK/5BAuknryTca/3UoA1yomS9ZlF3Q0wcecaDoEnSmZEaTrp9T3itPAz4KnGjv5QJBAN5mNcfu6iJ5ktNvEdzqcxkKwbXb9Nq1SLnmTvt+d5TPX7eQ9fCwtOfVu5iBLhhZzb5PJ7pSN3Zt6rl5/jPOGv0CQQC+vETX9oe1wbxZSv6/RBGy0Xow6GndbJwvd89PcAJ2h+OJXWtg/rRHB3t9EQm7iis0XbZTapj19E4U6l8EibhvAkEA1CvYpRwmHKu1SqdM+GBnW/2qHlBwwXJvpoK02TOm674HR/4w0+YRQJfkd7LOAgcyxJuJgDTNmtt0MmzS+iNoFQJAMVSUIZ77XoDq69U/qcw7H5qaFcgmiUQr6QL9tTftCyb+LGri+MUnby96OtCLSdvkbLjIDS8GvKYhA7vSM2RDNQJBAKGyVVnFFIrbK3yuwW71yvxQEGoGxlgvZSezZ4vGgqTxrr9HvAtvWLwR6rpe6ybR/x8uUtoW7NRBWgpiIFwjvY4= # 【RSA 案例】请求解密的私钥
+#    response-key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh/CHyBcS/zEfVyINVA7+c9Xxl0CPdxPMK1OIjxaLy/7BLfbkoEpI8onQtjuzfpuxCraDem9bu3BMF0pMH95HytI3Vi0kGjaV+WLIalwgc2w37oA2sbsmKzQOP7SDLO5s2QJNAD7kVwd+Q5rqaLu2MO0xVv+0IUJhn83hClC0L5wIDAQAB # 【RSA 案例】响应加密的公钥
   websocket:
     enable: true # websocket的开关
     path: /infra/ws # 路径