Why Upgrade to fastjson2? Performance Boosts and Safer AutoType Handling
This article examines fastjson2’s design improvements over fastjson1, highlighting its safer AutoType mechanism, performance enhancements, migration strategies—including compatibility mode and new APIs—and provides practical code examples for configuring serializers, updating Maven dependencies, and adapting Spring converters.
1. Introduction
Hello everyone, I am the author of the mica series of open‑source projects. After recent discussions about fastjson2 updates and performance tricks, and another fastjson security vulnerability, I investigated fastjson2 and found it not only faster but also safer.
2. The Root Cause: AutoType
Both fastjson and Jackson support AutoType, which embeds type information in JSON during serialization so that deserialization can automatically recognize the target type.
3. Security Issues in fastjson1
fastjson 1.x maintains a whitelist that, over nearly 30 years of Java development, has missed many classes, leading to frequent security vulnerabilities.
4. Jackson AutoType Handling
Jackson also supports AutoType, and several of its security issues are related to this feature. Jackson’s JSON parsing is tied to ObjectMapper, which can be customized per need. For example, activate DefaultTyping only for Redis serialization/deserialization:
public RedisSerializer<Object> redisSerializer(ObjectProvider<ObjectMapper> objectProvider) {
// jackson findAndRegisterModules, use copy
ObjectMapper objectMapper = objectProvider.getIfAvailable(ObjectMapper::new).copy();
objectMapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
objectMapper.findAndRegisterModules();
GenericJackson2JsonRedisSerializer.registerNullValueSerializer(objectMapper, null);
objectMapper.activateDefaultTyping(objectMapper.getPolymorphicTypeValidator(), DefaultTyping.NON_FINAL, As.PROPERTY);
return new GenericJackson2JsonRedisSerializer(objectMapper);
}5. Design of fastjson2
fastjson2’s AutoType must be explicitly enabled; there is no whitelist, nor any Exception class whitelist, making the default configuration safe.
Serialization with type information
To include type information during serialization, use JSONWriter.Feature.WriteClassName:
Bean bean = ...;
String jsonString = JSON.toJSONString(bean, JSONWriter.Feature.WriteClassName);If the root object’s type is known, you can omit it to reduce size and improve deserialization performance:
Bean bean = ...;
String jsonString = JSON.toJSONString(bean, JSONWriter.Feature.WriteClassName, JSONWriter.Feature.NotWriteRootClassName);Deserialization with AutoType support
Bean bean = (Bean) JSON.parseObject(jsonString, Object.class, JSONReader.Feature.SupportAutoType);fastjson2 supports a safeMode flag; when enabled, explicit AutoType parameters are ignored:
-Dfastjson2.parser.safeMode=truefastjson2 applies an internal blacklist to filter risky classes, but it cannot guarantee absolute safety; AutoType should not be used in public‑facing APIs.
6. Upgrading to fastjson2
6.1 Compatibility Mode Upgrade
You can upgrade in compatibility mode without code changes, though deep usage may require testing. Maven dependency for compatibility mode:
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>${fastjson2.version}</version>
</dependency>6.2 Using the New API
Using the new API is the recommended approach to gain additional features.
Package change: the new package is com.alibaba.fastjson2, allowing coexistence of 1.x and 2.x versions.
import com.alibaba.fastjson2.JSON;
import com.alibaba.fastjson2.JSONObject;
import com.alibaba.fastjson2.JSONArray;The Maven groupId also changes to com.alibaba.fastjson2:
<dependency>
<groupId>com.alibaba.fastjson2</groupId>
<artifactId>fastjson2</artifactId>
<version>${fastjson2.version}</version>
</dependency>If you need Spring integration, add the fastjson2-extension dependency:
<dependency>
<groupId>com.alibaba.fastjson2</groupId>
<artifactId>fastjson2-extension</artifactId>
<version>${fastjson2.version}</version>
</dependency>For projects using FastJsonHttpMessageConverter, simply change the import package:
import com.alibaba.fastjson.support.config.FastJsonConfig;
import com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter;to:
import com.alibaba.fastjson2.support.config.FastJsonConfig;
import com.alibaba.fastjson2.support.spring.http.converter.FastJsonHttpMessageConverter;@Configuration(proxyBeanMethods = false)
public class FastJsonConfiguration {
@Bean
public FastJsonHttpMessageConverter fastJsonHttpMessageConverter() {
FastJsonHttpMessageConverter converter = new FastJsonHttpMessageConverter();
converter.setFastJsonConfig(new FastJsonConfig());
converter.setSupportedMediaTypes(Arrays.asList(MediaType.APPLICATION_JSON, new MediaType("application", "*+json")));
return converter;
}
}Conclusion
fastjson2 offers significant performance and security improvements, especially with its support for jsonb, making it a preferred choice for caching, RPC, and other backend scenarios.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Architecture Diary
Committed to sharing original, high‑quality technical articles; no fluff or promotional content.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.