Jackson: how to prevent field serialization
JavaJsonJacksonJava Problem Overview
I have an entity class with a password field:
class User {
private String password;
//setter, getter..
}
I want this field to be skipped during serialization. But it should still be able to deserialize. This is needed, so that the client can send me a new password, but is not able to read the current one.
How do I accomplish this with Jackson?
Java Solutions
Solution 1 - Java
You can mark it as @JsonIgnore.
With 1.9, you can add @JsonIgnore for getter, @JsonProperty for setter, to make it deserialize but not serialize.
Solution 2 - Java
Illustrating what StaxMan has stated, this works for me
private String password;
@JsonIgnore
public String getPassword() {
return password;
}
@JsonProperty
public void setPassword(String password) {
this.password = password;
}
Solution 3 - Java
The easy way is to annotate your getters and setters.
Here is the original example modified to exclude the plain text password, but then annotate a new method that just returns the password field as encrypted text.
class User {
private String password;
public void setPassword(String password) {
this.password = password;
}
@JsonIgnore
public String getPassword() {
return password;
}
@JsonProperty("password")
public String getEncryptedPassword() {
// encryption logic
}
}
Solution 4 - Java
Starting with Jackson 2.6, a property can be marked as read- or write-only. It's simpler than hacking the annotations on both accessors and keeps all the information in one place:
public class User {
@JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
private String password;
}
Solution 5 - Java
Aside from @JsonIgnore, there are a couple of other possibilities:
-
Use JSON Views to filter out fields conditionally (by default, not used for deserialization; in 2.0 will be available but you can use different view on serialization, deserialization)
-
@JsonIgnorePropertieson class may be useful
Solution 6 - Java
transient is the solution for me. thanks! it's native to Java and avoids you to add another framework-specific annotation.
Solution 7 - Java
One should ask why you would want a public getter method for the password. Hibernate, or any other ORM framework, will do with a private getter method. For checking whether the password is correct, you can use
public boolean checkPassword(String password){
return this.password.equals(anyHashingMethod(password));
}
Solution 8 - Java
Jackson has a class named SimpleBeanPropertyFilter that helps to filter fields during serialization and deserialization; not globally. I think that's what you wanted.
@JsonFilter("custom_serializer")
class User {
private String password;
//setter, getter..
}
Then in your code:
String[] fieldsToSkip = new String[] { "password" };
ObjectMapper mapper = new ObjectMapper();
final SimpleFilterProvider filter = new SimpleFilterProvider();
filter.addFilter("custom_serializer",
SimpleBeanPropertyFilter.serializeAllExcept(fieldsToSkip));
mapper.setFilters(filter);
String jsonStr = mapper.writeValueAsString(currentUser);
This will prevent password field to get serialized. Also you will be able to deserialize password fields as it is. Just make sure no filters are applied on the ObjectMapper object.
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(yourJsonStr, User.class); // user object does have non-null password field
Solution 9 - Java
set variable as
@JsonIgnore
This allows variable to get skipped by json serializer