117

I'm implementing a RESTful web service where user has to send a signed verification token along with the request so that I could ensure that the request has not been tampered by a middle man. My current implementation is as follows.

Verification token is a VerifData object serialized into a String and then hashed and encrypted.

class VerifData {
    int prop1;
    int prop2;
}

In my service, I put data to be serialized into an instance of VerifData and then serialize it using Jackson ObjectMapper and passed along to the verification engine along with the verification token.

VerfiData verifData = new VerifData(12345, 67890);
ObjectMapper mapper = new ObjectMapper();
String verifCodeGenerated = mapper.writeValueAsString(verifData);

But it seems that each time the application container is started, the order of properties being mapped into a string by ObjectMapper changes.

Ex: one time it would be

{"prop1":12345,"prop2":67890}

and another time it would be

{"prop2":67890,"prop1":12345}

So if client has serialized the VerifData instance as into the first String, there is 50% chance of it being failed even though it is correct.

Is there a way to get around this? Can I specify the order of properties to map by ObjectMapper (like in ascending order)? Or is there any other way to best implement this verification step. Both client and server implementations are developed by me. I use Java Security API for signing and verifying.

Lizzy
  • 2,033
  • 3
  • 20
  • 33

12 Answers12

120

The annotations are useful, but can be a pain to apply everywhere. You can configure your whole ObjectMapper to work this way with

Current Jackson versions:

objectMapper.configure(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY, true)

Older Jackson versions:

objectMapper.configure(SerializationConfig.Feature.SORT_PROPERTIES_ALPHABETICALLY, true);

Nathan
  • 8,093
  • 8
  • 50
  • 76
Duncan McGregor
  • 17,665
  • 12
  • 64
  • 118
  • 2
    This is not quite correct (or at least doesn't work in all scenarios) -- see https://stackoverflow.com/a/46267506/2089674 for a complete example of something that works. – user2089674 Sep 17 '17 at 18:31
  • 5
    @user2089674 - your example only works for Map keys. The OP requested a solution for Object fields. – Dave Apr 19 '18 at 02:34
109

From the Jackson Annotations documentation:

// ensure that "id" and "name" are output before other properties
@JsonPropertyOrder({ "id", "name" })

// order any properties that don't have explicit setting using alphabetic order
@JsonPropertyOrder(alphabetic=true)
Albert Iordache
  • 409
  • 1
  • 5
  • 15
wgitscht
  • 2,676
  • 2
  • 21
  • 25
20

The following 2 ObjectMapper configuration are required:

ObjectMapper.configure(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY, true)
or
ObjectMapper.enable(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY)

defines the property serialization order used for POJO fields
Note: does not apply to java.util.Map serialization!

and

ObjectMapper.configure(SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS, true)
or
ObjectMapper.enable(SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS)

Feature that determines whether java.util.Map entries are first sorted by key before serialization

Spring Boot config example (yaml):

spring:
  jackson:
    mapper:
      SORT_PROPERTIES_ALPHABETICALLY: true
    serialization:
      ORDER_MAP_ENTRIES_BY_KEYS: true
magiccrafter
  • 5,175
  • 1
  • 56
  • 50
11

In Jackson 2.x, which you are probably using today, use:

ObjectMapper mapper = new ObjectMapper();
mapper.configure(SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS, true);

If you care about looks, you may also consider SerializationFeature.INDENT_OUTPUT as well.

Note that you must serialize Maps or Objects for this to sort correctly. If you serialize a JsonNode for example (from readTree), that won't be properly indented.

Example

import com.fasterxml.jackson.databind.*;

ObjectMapper mapper = new ObjectMapper();
mapper.configure(SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS, true);
mapper.configure(SerializationFeature.INDENT_OUTPUT, true);

String input = "{\"hello\": {\"cruel\" : \"world\"} }";
Object pojo = mapper.readValue(input, Object.class);
System.out.println(mapper.writeValueAsString(pojo));

results in:

{
  "hello" : {
    "cruel" : "world"
  }
}
Community
  • 1
  • 1
user2089674
  • 2,028
  • 2
  • 15
  • 7
10

In Spring Boot you can add this behaviour globally by adding the following to your Application entry point class:

  @Bean
  public Jackson2ObjectMapperBuilder objectMapperBuilder() {

    Jackson2ObjectMapperBuilder builder = new Jackson2ObjectMapperBuilder();
    builder.featuresToEnable(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY);

    return builder;
  }
Gary
  • 7,167
  • 3
  • 38
  • 57
9

There is an easier way in Spring Boot by specifying a property (in application.properties for example:

spring.jackson.mapper.sort_properties_alphabetically=true
Wim Deblauwe
  • 25,113
  • 20
  • 133
  • 211
3

From Duncan McGregor's answer: Its better to use it like this:

objectMapper.configure(SerializationConfig.Feature.SORT_PROPERTIES_ALPHABETICALLY, true);

as MapperFeature is for XMLs and comes with jackson-databind which is not required...

Nemes Nisano
  • 49
  • 1
  • 3
3

I discovered yet another way today in case alphabetic is not your desired sorting order. It turns out adding a @JsonProperty annotation on a field places it last when writing if the rest of the fields are not annotated. I discovered that when I wanted to specify a property name which did not conform to java naming conventions.

By Adding an index attribute you can define the order. Lowest index is placed first.

@JsonProperty(index=20)
String prop1;

@JsonProperty(index=10)
String prop2;

Would render:

{"prop2": "valueProp2", "prop1": "valueProp1"}
Rythmic
  • 759
  • 2
  • 10
  • 25
1

You can use mix-in and specify the order of properties as you like:

import com.fasterxml.jackson.annotation.JsonPropertyOrder;
import com.fasterxml.jackson.databind.ObjectMapper;

import org.springframework.context.annotation.Bean;
import org.springframework.stereotype.Component;

@Component
public final class ObjectMapperUtils {

    private static final ObjectMapper MAPPER = new ObjectMapper();

    static {
        MAPPER.addMixIn(Object.class, IdFirst.class);
    }

    @Bean
    public ObjectMapper objectMapper() {
        return MAPPER;
    }

    @JsonPropertyOrder({"id", "...", "..."})
    private abstract static class IdFirst {}

}
Marcus Voltolim
  • 413
  • 4
  • 12
1

I realize this is an old thread, but since I was looking or an answer and landed here, some additional info could be handy for other people.
The @JsonProperty annotation I am using currently (jackson-annotations-2.11.2) accepts, besides the "value" argument, an "index" (numeric) argument that specifies the order of the fields during serialization.

PaulN
  • 63
  • 2
  • 10
0

Instead of using flag argument: 

objectMapper.enable(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY);
Leon
  • 3,124
  • 31
  • 36
0

As @Gary Rowe mentioned, we can use Jackson2ObjectMapperBuilder to sort the properties globally. However for this to work, you must have Jackson2ObjectMapperBuilder in your classpath. It is not part of the Jackson library.

As per this documentation, spring-web dependency has Jackson2ObjectMapperBuilder file and should be in your classpath.

@Bean
  public Jackson2ObjectMapperBuilder objectMapperBuilder() {

    Jackson2ObjectMapperBuilder builder = new Jackson2ObjectMapperBuilder();
    builder.featuresToEnable(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY);

    return builder;
  }

You can refer to this for other possible solutions

Praj
  • 451
  • 2
  • 5