spring-security/docs/modules/ROOT/pages/features/integrations/jackson.adoc

[[jackson]]
= Jackson Support

Spring Security provides Jackson support for persisting Spring Security related classes.
This can improve the performance of serializing Spring Security related classes when working with distributed sessions (i.e. session replication, Spring Session, etc).

To use it, register the `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]):

[tabs]
======
Java::
+
[source,java,role="primary"]
----
ClassLoader loader = getClass().getClassLoader();
JsonMapper mapper = JsonMapper.builder()
        .addModules(SecurityJacksonModules.getModules(loader))
        .build();

// ... use JsonMapper as normally ...
SecurityContext context = new SecurityContextImpl();
// ...
String json = mapper.writeValueAsString(context);
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
val loader = javaClass.classLoader
val mapper = JsonMapper.builder()
    .addModules(SecurityJacksonModules.getModules(loader))
    .build()

// ... use JsonMapper as normally ...
val context: SecurityContext = SecurityContextImpl()
// ...
val json: String = mapper.writeValueAsString(context)
----
======

[NOTE]
====
The following Spring Security modules provide Jackson support:

- spring-security-core (`CoreJacksonModule`)
- spring-security-web (`WebJacksonModule`, `WebServletJacksonModule`, `WebServerJacksonModule`)
- xref:servlet/oauth2/client/index.adoc#oauth2client[ spring-security-oauth2-client] (`OAuth2ClientJacksonModule`)
- spring-security-cas (`CasJacksonModule`)
====
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`[[jackson]]`
Remove include servlet/saml2/index.adoc 2021-07-30 13:52:15 -05:00			`= Jackson Support`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00
Document Jackson serialization support for OAuth 2.0 Client Fixes gh-8075 2020-03-18 13:59:40 -04:00			`Spring Security provides Jackson support for persisting Spring Security related classes.`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`This can improve the performance of serializing Spring Security related classes when working with distributed sessions (i.e. session replication, Spring Session, etc).`

Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			To use it, register the `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]):
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00			`[source,java,role="primary"]`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`----`
			`ClassLoader loader = getClass().getClassLoader();`
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`JsonMapper mapper = JsonMapper.builder()`
			`.addModules(SecurityJacksonModules.getModules(loader))`
			`.build();`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`// ... use JsonMapper as normally ...`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`SecurityContext context = new SecurityContextImpl();`
			`// ...`
			`String json = mapper.writeValueAsString(context);`
			`----`
Document Jackson serialization support for OAuth 2.0 Client Fixes gh-8075 2020-03-18 13:59:40 -04:00
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`Kotlin::`
			`+`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00			`[source,kotlin,role="secondary"]`
			`----`
			`val loader = javaClass.classLoader`
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`val mapper = JsonMapper.builder()`
			`.addModules(SecurityJacksonModules.getModules(loader))`
			`.build()`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`// ... use JsonMapper as normally ...`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00			`val context: SecurityContext = SecurityContextImpl()`
			`// ...`
			`val json: String = mapper.writeValueAsString(context)`
			`----`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`======`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00
Document Jackson serialization support for OAuth 2.0 Client Fixes gh-8075 2020-03-18 13:59:40 -04:00			`[NOTE]`
			`====`
			`The following Spring Security modules provide Jackson support:`

Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			- spring-security-core (`CoreJacksonModule`)
			- spring-security-web (`WebJacksonModule`, `WebServletJacksonModule`, `WebServerJacksonModule`)
			- xref:servlet/oauth2/client/index.adoc#oauth2client[ spring-security-oauth2-client] (`OAuth2ClientJacksonModule`)
			- spring-security-cas (`CasJacksonModule`)
Document Jackson serialization support for OAuth 2.0 Client Fixes gh-8075 2020-03-18 13:59:40 -04:00			`====`