fastjson is integrated into spring boot, and experience is gained
Chinese garbled code problem
Sequence problem of serial number field
1, Background
JSON(JavaScript Object Notation) is a lightweight data exchange format. Easy to read and write. It is also easy to machine parse and generate. It is based on JavaScript programming language, a subset of standard ecma-262 3rd Edition - December 1999.
JSON is a data format popularized by Douglas Crockford in 2001 and officially became the mainstream data format from 2005 to 2006.
JSON is widely used in front-end JavaScript. Objects in memory can use JSON format strings to represent their own structures and data, which is called serialization;
Converting a json formatted string into an object in memory is called deserialization
Because the front end is widely used, the back ends of various languages have also formed their own serialization and deserialization tools
spring boot uses jackson to sequence and deserialize by default
from performance testing Fast serialization has no obvious advantage over fast serialization
Before introducing fastjson, bloggers used to remove jackson dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<!-- Remove Jackson rely on -->
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-json</artifactId>
</exclusion>
</exclusions>
</dependency>
2, Integrating fastjson into spring boot
Simply introducing dependencies can only call fastjson actively in the code. After integration into spring boot, all the classes passed in and returned by the controller will be deserialized and serialized by fastjson
I like to write configuration classes
@Configuration
public class WebConfig implements WebMvcConfigurer {
// The WebMvcConfigurerAdapter class is in springboot 2 0 is outdated. It is officially recommended to directly implement the WebMvcConfigurer interface
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
FastJsonHttpMessageConverter converter = new FastJsonHttpMessageConverter();
//Custom configuration
// The serial number field is sorted alphabetically
// FastJsonConfig config = new FastJsonConfig();
// config.set...
// converter.setFastJsonConfig(config);
// Network transmission to solve Chinese garbled code
// List<MediaType> fastMediaTypes = new ArrayList<>();
// fastMediaTypes.add(MediaType.APPLICATION_JSON_UTF8);
// converter.setSupportedMediaTypes(fastMediaTypes);
converters.add(0, converter);
}
}
Some date format, circular reference and other features can be configured in FastJsonConfig
3, Some usage problems
3.1 serialization field sorting problem
jackson serializes json, and its field order is consistent with the declaration order
However, when serializing fastjson, it is deliberately sorted alphabetically, which may be for speed reasons
Generally speaking, it will not affect the use
If there are sorting requirements, there are several methods at present, from high to low according to the degree of recommendation
-
Annotate each field of the class with @ JSONField(ordinal = 1)
This is the most practical and effective
-
come from GitHub issue , I haven't tried, I can't understand the code
JSON.DEFAULT_GENERATE_FEATURE &= ~SerializerFeature.SortField.getMask(); SerializeConfig serializeConfig = new SerializeConfig(true); System.out.println(JSON.toJSONString(javaObject, serializeConfig));
-
come from Official wiki
It seems impossible to use this configuration alone. It may take effect only with other configurations. Refer to issue #372 #1777
end
Related articles:
jndi ldap/rmi RCE introduction: fastjsion deserialization vulnerability, log4j2 command execution
spring (boot) using log4j2 to implement slf4j log facade