Why FastJSON Throws an Illegal Identifier Error and How Escaping Saves You

Introduction

While building a flash‑sale system, I encountered a strange JSON deserialization error in a filter that extracts JWT token information from request headers and stores user data in Redis as a JSON string.

Problem Scene

The filter retrieves the JSON string from Redis and attempts to deserialize it with FastJSON: JSON.parseObject(json, UserEntity.class); This throws the exception:

com.alibaba.fastjson.JSONException: illegal identifier : \pos 1, line 1, column 2{...}

Analysis

First I suspected malformed JSON, but an online validator confirmed the format was correct. A separate test class that parses the same string into a Map succeeded:

public class Test {
    public static void main(String[] args) {
        String json = "{\"accountNonExpired\":true,\"accountNonLocked\":true,\"authorities\":[{\"authority\":\"admin\"}],\"credentialsNonExpired\":true,\"enabled\":true,\"id\":13,\"password\":\"$2a$10$o3XfeGr0SHStAwLuJRW6y.kE0UTerQfv3SXrAcVLuJ6M3hEsC9RKe\",\"roles\":[\"admin\"],\"username\":\"admin\"}";
        Map map = JSON.parseObject(json, Map.class);
        System.out.println(map);
    }
}

The same JSON works in the test but fails in the filter, which was confusing.

Switch to Gson

Replacing FastJSON with Gson:

Map map = new Gson().fromJson(userJson, Map.class);

produced:

com.google.gson.JsonSyntaxException: Expected BEGIN_OBJECT but was STRING at line 1 column 2 path $

The error pointed to the $ character inside the encrypted password.

Removing $ and . from the string still resulted in another parsing error.

Switch to Jackson

Using Jackson's ObjectMapper:

ObjectMapper objectMapper = new ObjectMapper();
Map map = objectMapper.readValue(json, Map.class);

raised:

com.fasterxml.jackson.core.JsonParseException: Unexpected character ('\' (code 92)): was expecting double-quote to start field name

All three libraries failed, indicating the issue was not a library bug.

Escaping Issue

The JSON string contains escaped double quotes ( \") and backslashes. In the filter the string actually contains double‑escaped backslashes ( \\\), which makes the parser treat the leading backslash as an illegal identifier.

Applying StringEscapeUtils.unescapeJava(json) to remove the escape characters allowed FastJSON to deserialize successfully.

Conclusion

The root cause was hidden escape characters in the JSON stored in Redis. Using StringEscapeUtils.unescapeJava (or any proper unescaping step) before deserialization fixes the problem. The article also explains why the test class succeeded: the JSON copied into the test contained only a single level of escaping, while the filter received a doubly‑escaped string.