Why Upgrade to fastjson2? Performance Boosts and Safer AutoType Handling

1. Introduction

Hello everyone, I am the author of the mica series of open‑source projects. After recent discussions about fastjson2 updates and performance tricks, and another fastjson security vulnerability, I investigated fastjson2 and found it not only faster but also safer.

2. The Root Cause: AutoType

Both fastjson and Jackson support AutoType, which embeds type information in JSON during serialization so that deserialization can automatically recognize the target type.

3. Security Issues in fastjson1

fastjson 1.x maintains a whitelist that, over nearly 30 years of Java development, has missed many classes, leading to frequent security vulnerabilities.

4. Jackson AutoType Handling

Jackson also supports AutoType, and several of its security issues are related to this feature. Jackson’s JSON parsing is tied to ObjectMapper, which can be customized per need. For example, activate DefaultTyping only for Redis serialization/deserialization:

<code>public RedisSerializer&lt;Object&gt; redisSerializer(ObjectProvider&lt;ObjectMapper&gt; objectProvider) {
    // jackson findAndRegisterModules, use copy
    ObjectMapper objectMapper = objectProvider.getIfAvailable(ObjectMapper::new).copy();
    objectMapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
    objectMapper.findAndRegisterModules();
    GenericJackson2JsonRedisSerializer.registerNullValueSerializer(objectMapper, null);
    objectMapper.activateDefaultTyping(objectMapper.getPolymorphicTypeValidator(), DefaultTyping.NON_FINAL, As.PROPERTY);
    return new GenericJackson2JsonRedisSerializer(objectMapper);
}
</code>

5. Design of fastjson2

fastjson2’s AutoType must be explicitly enabled; there is no whitelist, nor any Exception class whitelist, making the default configuration safe.

Serialization with type information

To include type information during serialization, use

JSONWriter.Feature.WriteClassName

:

<code>Bean bean = ...;
String jsonString = JSON.toJSONString(bean, JSONWriter.Feature.WriteClassName);
</code>

If the root object’s type is known, you can omit it to reduce size and improve deserialization performance:

<code>Bean bean = ...;
String jsonString = JSON.toJSONString(bean, JSONWriter.Feature.WriteClassName, JSONWriter.Feature.NotWriteRootClassName);
</code>

Deserialization with AutoType support

<code>Bean bean = (Bean) JSON.parseObject(jsonString, Object.class, JSONReader.Feature.SupportAutoType);
</code>

fastjson2 supports a

safeMode

flag; when enabled, explicit AutoType parameters are ignored:

<code>-Dfastjson2.parser.safeMode=true
</code>

fastjson2 applies an internal blacklist to filter risky classes, but it cannot guarantee absolute safety; AutoType should not be used in public‑facing APIs.

6. Upgrading to fastjson2

6.1 Compatibility Mode Upgrade

You can upgrade in compatibility mode without code changes, though deep usage may require testing. Maven dependency for compatibility mode:

<code>&lt;dependency&gt;
    &lt;groupId&gt;com.alibaba&lt;/groupId&gt;
    &lt;artifactId&gt;fastjson&lt;/artifactId&gt;
    &lt;version&gt;${fastjson2.version}&lt;/version&gt;
&lt;/dependency&gt;
</code>

6.2 Using the New API

Using the new API is the recommended approach to gain additional features.

Package change: the new package is

com.alibaba.fastjson2

, allowing coexistence of 1.x and 2.x versions.

<code>import com.alibaba.fastjson2.JSON;
import com.alibaba.fastjson2.JSONObject;
import com.alibaba.fastjson2.JSONArray;
</code>

The Maven groupId also changes to

com.alibaba.fastjson2

:

<code>&lt;dependency&gt;
    &lt;groupId&gt;com.alibaba.fastjson2&lt;/groupId&gt;
    &lt;artifactId&gt;fastjson2&lt;/artifactId&gt;
    &lt;version&gt;${fastjson2.version}&lt;/version&gt;
&lt;/dependency&gt;
</code>

If you need Spring integration, add the

fastjson2-extension

dependency:

<code>&lt;dependency&gt;
    &lt;groupId&gt;com.alibaba.fastjson2&lt;/groupId&gt;
    &lt;artifactId&gt;fastjson2-extension&lt;/artifactId&gt;
    &lt;version&gt;${fastjson2.version}&lt;/version&gt;
&lt;/dependency&gt;
</code>

For projects using

FastJsonHttpMessageConverter

, simply change the import package:

<code>import com.alibaba.fastjson.support.config.FastJsonConfig;
import com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter;
</code>

to:

<code>import com.alibaba.fastjson2.support.config.FastJsonConfig;
import com.alibaba.fastjson2.support.spring.http.converter.FastJsonHttpMessageConverter;
</code>

<code>@Configuration(proxyBeanMethods = false)
public class FastJsonConfiguration {
    @Bean
    public FastJsonHttpMessageConverter fastJsonHttpMessageConverter() {
        FastJsonHttpMessageConverter converter = new FastJsonHttpMessageConverter();
        converter.setFastJsonConfig(new FastJsonConfig());
        converter.setSupportedMediaTypes(Arrays.asList(MediaType.APPLICATION_JSON, new MediaType("application", "*+json")));
        return converter;
    }
}
</code>

Conclusion

fastjson2 offers significant performance and security improvements, especially with its support for jsonb, making it a preferred choice for caching, RPC, and other backend scenarios.