Add Jackson 3 support and deprecate Jackson 2 one #17832
+11,632
−312
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spring-projects-issues
added
the
status: waiting-for-triage
rwinch
requested changes
Sep 4, 2025
There was a problem hiding this comment.
Thanks for the pull request. Generally, I think this is looking good. I've provided some feedback inline.
It also appears that there are still some classes that need migrated. Searching for jackson on main should give you a complete list of classes that are using jackson.
For example, webauthn has jackson support. I'm guessing this was missed because it is inconsistent with the rest of the jackson support in that it is in a jackson package rather than jackson2. It is also automatically registered because it does not use default types which would make it insecure.
There are also some tests that still use ObjectMapper or deprecated Spring Framework Jackson 2 classes (e.g. JwtDecodersTests.java#L388). Unless the test is specifically for the Jackson 2 support, we should update these to use non-deprecated classes (e.g. JsonMapper).
There are various Spring framework jackson based classes that have been deprecated that we should migrate away from. For example, MappingJackson2HttpMessageConverter usage (e.g. WebAuthnAuthenticationFilter.converter) should be migrated to JacksonJsonHttpMessageConverter if jackson 3 is on the classpath. Likely there could be a static factory method used that Spring Security uses to obtain the correct default json converter instance.
cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/jackson/AbstractUnmodifiableCollectionDeserializer.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/springframework/security/jackson/AllowlistTypeResolverBuilder.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/springframework/security/jackson/AllowlistTypeResolverBuilder.java
Outdated
Show resolved
Hide resolved
...ce-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2JacksonModule.java
Outdated
Show resolved
Hide resolved
...-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java
Show resolved
Hide resolved
|
@rwinch I have pushed additional commits:
I will do another pass with your feedback to my questions in the comments. |
sdeleuze
force-pushed
the
jackson3
branch
2 times, most recently
from
e7d5c41 to
20a69ea
Compare
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 10, 2025
See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 10, 2025
This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom Jackson 3 support for unmodifiable collections - AllowlistTypeResolverBuilder in new a public type in order to be used easily with the JsonMapper.Builder API Jackson 3 changes compared to Jackson 2 are documented on FasterXML/jackson-future-ideas#72. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 10, 2025
This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 10, 2025
Since this module was already using the jackson sub-package for Jackson 2 support, both Jackson 2 and Jackson 3 support lives in the same subpackage and the former package-private classes has been renamed with a Jackson2 qualifier. Closes spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
|
@rwinch I have removed the custom support for unmodifiable collections (seems to work fine with Jackson 3), reworked the commit for a cleaner git history, and rebased the commits on |
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 25, 2025
See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 25, 2025
This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom Jackson 3 support for unmodifiable collections - AllowlistTypeResolverBuilder in new a public type in order to be used easily with the JsonMapper.Builder API Jackson 3 changes compared to Jackson 2 are documented on FasterXML/jackson-future-ideas#72. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 25, 2025
This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 25, 2025
Since this module was already using the jackson sub-package for Jackson 2 support, both Jackson 2 and Jackson 3 support lives in the same subpackage and the former package-private classes has been renamed with a Jackson2 qualifier. Closes spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
|
@sdeleuze @rwinch I was wondering if message converters in That's then causing NPE's i.e in |
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 28, 2025
Since this module was already using the jackson sub-package for Jackson 2 support, both Jackson 2 and Jackson 3 support lives in the same subpackage and the former package-private classes has been renamed with a Jackson2 qualifier. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Sep 28, 2025
This commits remove global default typing for better security and use instead a custom PolymorphicTypeValidator. See https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba for more details. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
|
@jvalkeal Good catch, I will add a related commit. |
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 3, 2025
See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 3, 2025
This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom Jackson 3 support for unmodifiable collections - AllowlistTypeResolverBuilder in new a public type in order to be used easily with the JsonMapper.Builder API Jackson 3 changes compared to Jackson 2 are documented on FasterXML/jackson-future-ideas#72. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 3, 2025
This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 3, 2025
Since this module was already using the jackson sub-package for Jackson 2 support, both Jackson 2 and Jackson 3 support lives in the same subpackage and the former package-private classes has been renamed with a Jackson2 qualifier. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 3, 2025
This commits remove global default typing for better security and use instead a custom PolymorphicTypeValidator which can be configured by each Spring Security module and customized by the end users. See https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba for more details. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 3, 2025
This commit introduces classpath checks and instantiation of JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging a new GenericHttpMessageConverterAdapter which allows to adapt SmartHttpMessageConverter to GenericHttpMessageConverter. Closes spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
|
@rwinch The PR is ready for a new review. It removes global default typing, allow customization of the authorized types via a The main missing part is the "Jackson 2 compatibility mode with Jackson 3". It will be implemented via a |
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 6, 2025
See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 6, 2025
This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom Jackson 3 support for unmodifiable collections - AllowlistTypeResolverBuilder in new a public type in order to be used easily with the JsonMapper.Builder API Jackson 3 changes compared to Jackson 2 are documented on FasterXML/jackson-future-ideas#72. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 6, 2025
This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 6, 2025
Since this module was already using the jackson sub-package for Jackson 2 support, both Jackson 2 and Jackson 3 support lives in the same subpackage and the former package-private classes has been renamed with a Jackson2 qualifier. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 6, 2025
This commits remove global default typing for better security and use instead a custom PolymorphicTypeValidator which can be configured by each Spring Security module and customized by the end users. See https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba for more details. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
sdeleuze
added a commit
to sdeleuze/spring-security
that referenced
this pull request
Oct 6, 2025
This commit introduces classpath checks and instantiation of JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging a new GenericHttpMessageConverterAdapter which allows to adapt SmartHttpMessageConverter to GenericHttpMessageConverter. Closes spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
|
PR updated to use Jackson 3.0.0 GA which has just been released. The |
|
Looks like I have missed |
|
Thanks for all the updates @sdeleuze I'm reviewing now.
If you rebase, this should be fixed in 83da86a which will be resolved more comprehensively in #18012 |
See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom Jackson 3 support for unmodifiable collections - AllowlistTypeResolverBuilder in new a public type in order to be used easily with the JsonMapper.Builder API Jackson 3 changes compared to Jackson 2 are documented on FasterXML/jackson-future-ideas#72. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
Since this module was already using the jackson sub-package for Jackson 2 support, both Jackson 2 and Jackson 3 support lives in the same subpackage and the former package-private classes has been renamed with a Jackson2 qualifier. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
Signed-off-by: Sébastien Deleuze <[email protected]>
This commits remove global default typing for better security and use instead a custom PolymorphicTypeValidator which can be configured by each Spring Security module and customized by the end users. See https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba for more details. See spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
This commit introduces classpath checks and instantiation of JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging a new GenericHttpMessageConverterAdapter which allows to adapt SmartHttpMessageConverter to GenericHttpMessageConverter. Closes spring-projectsgh-17832 Signed-off-by: Sébastien Deleuze <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for Jackson 3 which has the following major differences with the Jackson 2 one:
jacksonsubpackage instead ofjackson2Jacksontype prefix instead ofJackson2JsonMapperinstead ofObjectMapperJsonMapper.Builderinstead ofObjectMappersince the latter is now immutableAllowlistTypeResolverBuilderin new a public type in order to be used easily with theJsonMapper.BuilderAPIJackson 3 changes compared to Jackson 2 are documented on FasterXML/jackson-future-ideas#72.
It also deprecates Jackson 2 support for removal.