Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jackson2ObjectMapperBuilder visibilities need to be applied in order [SPR-17489] #22021

spring-issuemaster opened this Issue Nov 13, 2018 · 1 comment


None yet
2 participants
Copy link

spring-issuemaster commented Nov 13, 2018

Jukka Lehtimäki opened SPR-17489 and commented

Jackson2ObjectMapperBuilder uses HashMap to store user specified visibilities and proceeds to iterate them with foreach. Map doesn't guarantee order so user might unknowingly override his preferred visibilities causing jackson deserialization to fail randomly at run time. Bug can go unnoticed if the server happens to start with the correct order 50% change.

How to reproduce:

  1. Create custom Jackson2ObjectMapperBuilderCustomizer
    public Jackson2ObjectMapperBuilderCustomizer custom() {
        return (jacksonObjectMapperBuilder) -> {
                    .visibility(PropertyAccessor.ALL, Visibility.NONE)
                    .visibility(PropertyAccessor.FIELD, Visibility.ANY)

Notice that the first visibility sets ALL properties to NONE. Second one wants only the FIELDS to be visible.

  1. Now depending on your luck it will either run the set ALL visibility to NONE first or last effectively overriding FIELD visibility unintentionally 

Affects: 5.1.2

Issue Links:

  • #20957 Jackson: Add visibility properties to Jackson2ObjectMapperBuilder

Referenced from: commits 093254b


This comment has been minimized.

Copy link
Collaborator Author

spring-issuemaster commented Nov 13, 2018

Juergen Hoeller commented

Jackson2ObjectMapperBuilder stores visibility declarations (and also mix-in and feature declarations) in a LinkedHashMap now, preserving declaration order semantics.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.