(5 Most Wanted features, XML module, Blackbird)

Jackson 2.12.0 was just released on November 29, 2020. It is another “minor” version — meaning that it should be fully backwards-compatible with previous 2.x versions — but packs in much more new functionality than 2.11 event thought its development process took exactly as long: 7 months. So it is yet another powerful step forward with Jackson 2.x.

For full details of everything that is included in 2.12.0, please refer to the 2.12 Release Notes page: this blog post is meant to give a brief overview of some of most notably inclusions — after all, there are no fewer than 100 issues resolved (again, twice as many as 2.11!). …

Jackson is a mature and feature-rich open source project that we use, support, and contribute to here at Indeed. In my previous post, I introduced Jackson’s core competency as a JSON library for Java. I went on to describe the additional data formats, data types, and JVM languages Jackson supports. In this post, I will present challenges resulting from Jackson’s expansion, in my view, as Jackson’s creator and primary maintainer. I’ll also share our plans to address these challenges as a community.

Image for post
Image for post

Growing pains

Over its 13 years, the Jackson project added a lot of new functionality with the help of a large community of contributors. Users report issues and developers contribute fixes, new features, and even new modules. For example, the Java 8 date/time datatype module — which supports Java 8 date/time types, java.time.*, specified in JSR-310 — was developed concurrently with the specification itself by a member of the community. …

Jackson is a mature and feature-rich open source project that we use, support, and contribute to here at Indeed. As Jackson’s creator and primary maintainer, I want to highlight Jackson’s core competencies, extensions, and challenges in this two-part series.

Image for post
Image for post

Jackson’s core competency

If you’re creating a web service in Java that reads or returns JSON, you need a library to convert Java objects into JSON and vice versa. Since this functionality is not available in the Java standard library (JDK), you can use the Jackson library for its core competency: writing Java objects as JSON and reading JSON as Java objects. …

(aka “how to get almost canonical output” with custom JsonNodeFactory)

TL;DNR: quick way to get it “all sorted out”

If you just want to see the magic, here’s how you can make JsonNode automatically sort properties alphabetically by name (by default properties are stored in insertion order — and for reads it means order in which they are in the input document):

static class SortingNodeFactory extends JsonNodeFactory {
public ObjectNode objectNode() {
return new ObjectNode(this, new TreeMap<String, JsonNode>());
ObjectMapper mapper = JsonMapper.builder()
.nodeFactory(new SortingNodeFactory())
JsonNode root = mapper.readTree("{\"b\":1,\"a\":2}");
// assertEquals("{\"a\":2,\"b\":1}", mapper.writeValueAsString(root));

What happens here is that ObjectNode (JsonNode implementation for JSON Objects) is configured to use sorting TreeMap for storing properties instead of default LinkedHashMap. And since serializer simply iterates properties in order stored, output will be sorted. …

(annotations for jackson-jr, BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES)

Jackson 2.11.0 was just released on April 26, 2020. This time releasing a new minor version was more along “classic” Jackson timeline — it took 7 months which is longer than with 1.x, but much shorter than 2.10 which took 2 years to complete.

As usual, there are full 2.11 release notes that include all changes included — almost 50 all in all, mostly bug fixes — and this blog post gives an overview of only more significant added or extended features.

Compared to 2.10 there are no major API evolution steps towards 3.x …

This blog post is a first for me.

I have never asked for financial support for any of the OSS libraries I have written, maintained. Ever.

But now I ask for users of my most visible Open Source projects — especially Jackson (*) — to consider supporting my development efforts and project maintenance (**). This is easy (***) to do via Tidelift subscription: you can find it under “Sponsor” link on Github repos like jackson-databind.
See “Our Mission” and “Java Enterprise Solutions” for more details on what subscribers get. You may also want to read “For Maintainers” to see what is in it for me, as the maintainer. …

(custom ValueReaders, ValueWriters for 3rd party type support)

Another area of significant improvements in Jackson 2.10 (see earlier “Jackson 2.10 features”) is jackson-jr — light-weight alternative to full jackson-databind (see “jackson-jr for casual JSON reading/writing”).

One of 2 major additions — ability to read “root values” (to support “JSON Streaming”, line-delimited JSON (LDJSON)) — was covered in that blog post. But ability to add read/write support for custom datatypes, such as 3rd party library (such as Joda, Guava) value types, was only briefly mentioned. …

Handling of JsonNode (base class of Tree Model representation in Jackson) was significantly improved in Jackson 2.10 as mentioned in “Jackson 2.10 features” overview. But due to space constraints overview did not dig very deep. Let’s have another look at what was added.

JsonNode.toString() is now supported

Although users sometimes used toString() implementation of JsonNode values, this was actually not supported usage by Jackson. Usage was unsupported because it was implemented so that:

  1. Serialization did not go through ObjectMapper but relied on separate simplified String concatenation that was only meant for troubleshooting and specifically did NOT guarantee valid JSON output: character escaping (for example) was not done properly for Object keys or String…

aka stemming the flow of Jackson-databind CVEs

(note: this story is part of deeper dive of Jackson 2.10 release features, after Overview of Jackson 2.10)

Arguably the most important new/improved feature in Jackson 2.10 is so-called “Safe Default Typing”. It is the replacement of existing basic unbounded Default Typing, problems of which are explained in earlier “On Jackson CVEs: Don’t Panic!” blog post.

What is Safe Default Typing?

Safe Default Typing means that in addition to specifying the main existing criteria for default typing — which classes should automatically use Polymorphic Type handling based on class name (similar to using “@JsonTypeInfo” annotation, but applying to groups of classes) — developers will now be required to also specify validator of type PolymorphicTypeValidator that will determine if deserialization of given class name is (or is not) allowed. …

aka How to use @JacksonAnnotationsInside

One of lesser known simple but sometimes super useful annotations Jackson provides is curiously named @JacksonAnnotationsInside .
What it does is quite simple: by adding this meta-annotation to another annotation, all other annotations contained will be introspected and added by Jackson, somewhat similar to how “mix-in” annotations are added from regular classes and interfaces.

Why would this be useful? Common use cases include:

  • Convenience: you can create one “combo-annotation” as short-hand to add multiple longer Jackson annotations
  • Encapsulation by 3rd party types: you can “hide” set of Jackson annotations within annotation type you define (and which may provide configuration other libraries…



Open Source developer, most known for Jackson data processor (nee “JSON library”), author of many, many other OSS libraries for Java, from ClassMate to Woodstox

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store