spring-security/docs/modules/ROOT/pages/features/integrations/jackson.adoc

[[jackson]]
= Jackson Support

Spring Security provides Jackson 3 support for persisting Spring Security related classes.
This can improve the performance of serializing Spring Security related classes when working with distributed sessions (i.e. session replication, Spring Session, etc).

[NOTE]
====
Jackson 2 support is still available but deprecated for removal, so you are encouraged to migrate to Jackson 3.
====

To use it, register `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]):

[tabs]
======
Java::
+
[source,java,role="primary"]
----
ClassLoader loader = getClass().getClassLoader();
JsonMapper mapper = JsonMapper.builder()
        .addModules(SecurityJacksonModules.getModules(loader))
        .build();

// ... use JsonMapper as normally ...
SecurityContext context = new SecurityContextImpl();
// ...
String json = mapper.writeValueAsString(context);
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
val loader = javaClass.classLoader
val mapper = JsonMapper.builder()
    .addModules(SecurityJacksonModules.getModules(loader))
    .build()

// ... use JsonMapper as normally ...
val context: SecurityContext = SecurityContextImpl()
// ...
val json: String = mapper.writeValueAsString(context)
----
======

[NOTE]
====
Using `SecurityJacksonModules` as above enables automatic inclusion of type information and configure a
`PolymorphicTypeValidator` that handles the validation of class names.
====

If needed, you can add custom classes to the validation handling.

[tabs]
======
Java::
+
[source,java,role="primary"]
----
ClassLoader loader = getClass().getClassLoader();
BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder()
        .allowIfSubType(MyCustomType.class);
JsonMapper mapper = JsonMapper.builder()
        .addModules(SecurityJacksonModules.getModules(loader, builder))
        .build();
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
val loader = javaClass.classLoader
val builder = BasicPolymorphicTypeValidator.builder()
        .allowIfSubType(MyCustomType::class)
val mapper = JsonMapper.builder()
    .addModules(SecurityJacksonModules.getModules(loader, builder))
    .build()
----
======

[NOTE]
====
The following Spring Security modules provide Jackson support:

- spring-security-core (javadoc:org.springframework.security.jackson.CoreJacksonModule[])
- spring-security-web (javadoc:org.springframework.security.web.jackson.WebJacksonModule[], javadoc:org.springframework.security.web.jackson.WebServletJacksonModule[], javadoc:org.springframework.security.web.server.jackson.WebServerJacksonModule[])
- spring-security-oauth2-client (javadoc:org.springframework.security.oauth2.client.jackson.OAuth2ClientJacksonModule[])
- spring-security-cas (javadoc:org.springframework.security.cas.jackson.CasJacksonModule[])
- spring-security-ldap (javadoc:org.springframework.security.ldap.jackson.LdapJacksonModule[])
- spring-security-saml2 (javadoc:org.springframework.security.saml2.jackson.Saml2JacksonModule[])
====
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`[[jackson]]`
Remove include servlet/saml2/index.adoc 2021-07-30 13:52:15 -05:00			`= Jackson Support`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00
Refine documentation for Jackson 3 This commit refines the documentation by: - Updating Jackson documentation for Jackson 3 - Removing the outdated documentation in servlet - Adding migration guidelines Closes gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-10-17 11:24:48 +02:00			`Spring Security provides Jackson 3 support for persisting Spring Security related classes.`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`This can improve the performance of serializing Spring Security related classes when working with distributed sessions (i.e. session replication, Spring Session, etc).`

Refine documentation for Jackson 3 This commit refines the documentation by: - Updating Jackson documentation for Jackson 3 - Removing the outdated documentation in servlet - Adding migration guidelines Closes gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-10-17 11:24:48 +02:00			`[NOTE]`
			`====`
			`Jackson 2 support is still available but deprecated for removal, so you are encouraged to migrate to Jackson 3.`
			`====`

			To use it, register `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]):
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00			`[source,java,role="primary"]`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`----`
			`ClassLoader loader = getClass().getClassLoader();`
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`JsonMapper mapper = JsonMapper.builder()`
			`.addModules(SecurityJacksonModules.getModules(loader))`
			`.build();`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`// ... use JsonMapper as normally ...`
Adds What's New Spring Security 4.2 Fixes gh-4070 2016-09-23 13:02:27 -05:00			`SecurityContext context = new SecurityContextImpl();`
			`// ...`
			`String json = mapper.writeValueAsString(context);`
			`----`
Document Jackson serialization support for OAuth 2.0 Client Fixes gh-8075 2020-03-18 13:59:40 -04:00
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`Kotlin::`
			`+`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00			`[source,kotlin,role="secondary"]`
			`----`
			`val loader = javaClass.classLoader`
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`val mapper = JsonMapper.builder()`
			`.addModules(SecurityJacksonModules.getModules(loader))`
			`.build()`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00
Add Jackson 3 support This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-09-01 18:23:31 +02:00			`// ... use JsonMapper as normally ...`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00			`val context: SecurityContext = SecurityContextImpl()`
			`// ...`
			`val json: String = mapper.writeValueAsString(context)`
			`----`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`======`
Add remaining servlet Kotlin examples Issue gh-8172 2021-06-16 10:31:29 +02:00
Refine documentation for Jackson 3 This commit refines the documentation by: - Updating Jackson documentation for Jackson 3 - Removing the outdated documentation in servlet - Adding migration guidelines Closes gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-10-17 11:24:48 +02:00			`[NOTE]`
			`====`
			Using `SecurityJacksonModules` as above enables automatic inclusion of type information and configure a
			`PolymorphicTypeValidator` that handles the validation of class names.
			`====`

			`If needed, you can add custom classes to the validation handling.`

			`[tabs]`
			`======`
			`Java::`
			`+`
			`[source,java,role="primary"]`
			`----`
			`ClassLoader loader = getClass().getClassLoader();`
			`BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder()`
			`.allowIfSubType(MyCustomType.class);`
			`JsonMapper mapper = JsonMapper.builder()`
			`.addModules(SecurityJacksonModules.getModules(loader, builder))`
			`.build();`
			`----`

			`Kotlin::`
			`+`
			`[source,kotlin,role="secondary"]`
			`----`
			`val loader = javaClass.classLoader`
			`val builder = BasicPolymorphicTypeValidator.builder()`
			`.allowIfSubType(MyCustomType::class)`
			`val mapper = JsonMapper.builder()`
			`.addModules(SecurityJacksonModules.getModules(loader, builder))`
			`.build()`
			`----`
			`======`

Document Jackson serialization support for OAuth 2.0 Client Fixes gh-8075 2020-03-18 13:59:40 -04:00			`[NOTE]`
			`====`
			`The following Spring Security modules provide Jackson support:`

Refine documentation for Jackson 3 This commit refines the documentation by: - Updating Jackson documentation for Jackson 3 - Removing the outdated documentation in servlet - Adding migration guidelines Closes gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com> 2025-10-17 11:24:48 +02:00			`- spring-security-core (javadoc:org.springframework.security.jackson.CoreJacksonModule[])`
			`- spring-security-web (javadoc:org.springframework.security.web.jackson.WebJacksonModule[], javadoc:org.springframework.security.web.jackson.WebServletJacksonModule[], javadoc:org.springframework.security.web.server.jackson.WebServerJacksonModule[])`
			`- spring-security-oauth2-client (javadoc:org.springframework.security.oauth2.client.jackson.OAuth2ClientJacksonModule[])`
			`- spring-security-cas (javadoc:org.springframework.security.cas.jackson.CasJacksonModule[])`
			`- spring-security-ldap (javadoc:org.springframework.security.ldap.jackson.LdapJacksonModule[])`
			`- spring-security-saml2 (javadoc:org.springframework.security.saml2.jackson.Saml2JacksonModule[])`
Document Jackson serialization support for OAuth 2.0 Client Fixes gh-8075 2020-03-18 13:59:40 -04:00			`====`