Making Jackson the preferred JSON serializer

[Guillaume Smet]

Hi,

We have discussed this before but I decided to take a stab at it.

We had a LOT of questions about JSON-B usage as people are more used to Jackson. We also had a couple of bugs (most quickly fixed), missing features and some reports of performance issues.

The thing is that Jackson is far more widely used and mature than JSON-B/Yasson and pushing JSON-B has put us at a disadvantage.

At first, we supported only JSON-B, then we decided to support Jackson too and, now, I'd like to make Jackson the one we recommend in docs.

We would still support JSON-B (and it's documented as well), but instead of putting JSON-B first, we would put Jackson first.

PR is here: https://github.com/quarkusio/quarkus/pull/13280 - as you can see, it only adjusts the documentation.

Both Georgios and I, who are the primary maintainers of this area, are on board with this.

Thoughts?

--

Guillaume

[George Gastaldi]

+1

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo8Nf571VaF0%2BuProMrZSnmndQetkr5HPGMgU9MYij-NEg%40mail.gmail.com.

[Georgios Andrianakis]

+1

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAMmsnJi82rYfoz4628owK9zknjfO%3DhRgu-r%2BA9u4%3DyMYd%2B3ecA%40mail.gmail.com.

[Paul Carter-Brown]

+1

I noticed this sentiment a few months ago and decided to move to Jackson from JSON-B. Performance is much better than Yasson and as you say, more people use ii.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALeTM-nZj-%3D3nR8WPn-0X%3DB5vhwhX3uoSAOxdOyN64at3vMgBw%40mail.gmail.com.

[Ladislav Thon]

+1

LT

pá 13. 11. 2020 v 15:38 odesílatel Paul Carter-Brown <pa...@ukheshe.co.za> napsal:

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAO8YPTRpE7cnyEbKy_QUzNheWY%3DQF0k_KDokvmOmWTXeeCkDvA%40mail.gmail.com.

[Max Rydahl Andersen]

+100

I never use anything else than jackson anyway :)

Do we wanna go add the option for turning on/off FAIL_ON_UNKNOWN_PROPERTIES to make it even nicer by default ?

/max

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALbocO%3DdYQX2%2B4oMpk22%2BGaS_bS2c5bwnSsEVuVN2yzZdmbfWg%40mail.gmail.com.

/max
https://xam.dk/about

[Loïc MATHIEU]

+1

I agree with Max, we should provide better default for Jackson, at least FAIL_ON_UNKNOWN_PROPERTIES should be off by default.

This align with JSON-B by the way

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/F06B6B7A-2B0D-426C-9A88-31592BBB4D1B%40redhat.com.

[Guillaume Smet]

On Fri, Nov 13, 2020 at 3:52 PM Max Rydahl Andersen <mand...@redhat.com> wrote:

+100

I never use anything else than jackson anyway :)

Do we wanna go add the option for turning on/off FAIL_ON_UNKNOWN_PROPERTIES to make it even nicer by default ?

I can work on that next.

[Georgios Andrianakis]

Makes sense. Most people want this default.

[Stephane Epardaud]

It's worse than that. I have a vague recollection that when we discussed Quarkus in the early days (perhaps in Vancouver?) we wondered about jackson vs jsonb and at that point someone (Clement?) told us Jackson was having a CVE at the moment that the vert.x team had to deal with and it wasn't the first time, and we sort of agreed to pick the other one then, based on this.

I mean, perhaps I'm wrong, and my memory is wrong, but I have a feeling we made that choice based on this anecdotal evidence alone, and not on more analysis. And then we just stuck with it, for some reason. Inertia?

--

You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALeTM-n2ePtAD-VotMOZ2oPU28t3atRzrNhYoOYOdupcAS7EbA%40mail.gmail.com.

--

Stéphane Épardaud

[Ken Finnigan]

There has certainly been a concern in the past around the frequency of CVEs in Jackson.

However, if the performance differences are significant enough between Jackson and Yasson, it may be a price worth paying

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAKU9E9suqqMG2axp7Pw_W%3De1ax6j%3DbHTz7-JUvVetRh_SnePxw%40mail.gmail.com.

[Loïc MATHIEU]

We already discussed the CVE issue on Jackson, there should be some Zulip thread on it.

The ugly truth is that Jackson is more secure than JSON-B because it has CVE ...

Yasson has no CVE because nobody report any, no security researcher tries to break it, ...

I have somewhere a proof of a Jackson CVE that I could easily replicate on Yasson, fixed on Jackson but not on Yasson because ... nobody reports the threat !

And most of Jackson CVE are "security theatre" (famous words from Ladislav).

More info => https://quarkusio.zulipchat.com/#narrow/stream/187038-dev/topic/JSON-B.20serializer

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAKU9E9suqqMG2axp7Pw_W%3De1ax6j%3DbHTz7-JUvVetRh_SnePxw%40mail.gmail.com.

[Loïc MATHIEU]

And Jackson is already used in a lot or our extension so often already in the dependency tree of a Quarkus application : OpenAPI, Kafka, Amazon Lambda, Azure Functions, Google Cloud Functions, ...

It's difficult for an extension author to support two JSON frameworks so we usually directly use one instead of providing an abstract layer ...

[Stephane Epardaud]

To be clear, I'm absolutely not saying we should stick with Json-B. I'm only giving you my recollection of why I think we picked one instead of the other, and that I think it was probably a bad reason.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAJLxjVFQ6ZzeTVAcnW31rrSL%2Byo0zdKYwQ33JfvkLP%2BEHZ%2B1Wg%40mail.gmail.com.

--

Stéphane Épardaud

[Guillaume Smet]

On Fri, Nov 13, 2020 at 4:09 PM Stephane Epardaud <stephane...@gmail.com> wrote:

I mean, perhaps I'm wrong, and my memory is wrong, but I have a feeling we made that choice based on this anecdotal evidence alone, and not on more analysis. And then we just stuck with it, for some reason. Inertia?

We decided that not only on anecdotal evidence: Jackson has a lot of CVEs.

But... we then decided later that it was OK because it was more scrutinized anyway and we only used a small part of it thus the fact that we added it.

And we never had a discussion to reconsider the "default", given it was only a documentation issue, both have proper extensions.

--

Guillaume

[William Burke]

Jackson over JSON-B definitely....

QSON is ready, the json parser I've been doing.

--

You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo8Nf571VaF0%2BuProMrZSnmndQetkr5HPGMgU9MYij-NEg%40mail.gmail.com.

--

Bill Burke

Red Hat

[ja...@inaseq.com]

JSON-B does not support polymorphic collections.  Jackson does.  That was a key decider for us.

[Stuart Douglas]

On Sat, 14 Nov 2020 at 02:09, Stephane Epardaud <stephane...@gmail.com> wrote:

It's worse than that. I have a vague recollection that when we discussed Quarkus in the early days (perhaps in Vancouver?) we wondered about jackson vs jsonb and at that point someone (Clement?) told us Jackson was having a CVE at the moment that the vert.x team had to deal with and it wasn't the first time, and we sort of agreed to pick the other one then, based on this.

I mean, perhaps I'm wrong, and my memory is wrong, but I have a feeling we made that choice based on this anecdotal evidence alone, and not on more analysis. And then we just stuck with it, for some reason. Inertia?

It was also because JSON-B is a standard, and in general we prefer to be standards based.

I am still +1 for Jackson as default though.

Stuart

 

On Fri, 13 Nov 2020 at 16:04, Georgios Andrianakis <gand...@redhat.com> wrote:

On Fri, Nov 13, 2020 at 5:02 PM Guillaume Smet <guillau...@gmail.com> wrote:

On Fri, Nov 13, 2020 at 3:52 PM Max Rydahl Andersen <mand...@redhat.com> wrote:

+100

I never use anything else than jackson anyway :)

Do we wanna go add the option for turning on/off FAIL_ON_UNKNOWN_PROPERTIES to make it even nicer by default ?

I can work on that next.

Makes sense. Most people want this default.

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALeTM-n2ePtAD-VotMOZ2oPU28t3atRzrNhYoOYOdupcAS7EbA%40mail.gmail.com.

--

Stéphane Épardaud

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAKU9E9suqqMG2axp7Pw_W%3De1ax6j%3DbHTz7-JUvVetRh_SnePxw%40mail.gmail.com.

[George Gastaldi]

Since JSON-B is a standard, I wonder if there is a Jackson module that implements it using jackson-core (so we could go full Jackson and ditch Yasson). 

Looking at the repositories in the fasterxml org doesn't indicate they care about it.

[Max Rydahl Andersen]

On 16 Nov 2020, at 1:05, George Gastaldi wrote:

> Since JSON-B is a standard, I wonder if there is a Jackson module that
> implements it using jackson-core (so we could go full Jackson and
> ditch
> Yasson).
>
> Looking at the repositories in the fasterxml org doesn't indicate they
> care
> about it.

you mean like
https://github.com/FasterXML/jackson-modules-base/tree/master/jaxb ?

Seem part of its base so seem they do care or is there something else
you refer to ?

/max

>>>> <https://groups.google.com/d/msgid/quarkus-dev/CALeTM-n2ePtAD-VotMOZ2oPU28t3atRzrNhYoOYOdupcAS7EbA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .

>>>>
>>>
>>>
>>> --
>>> Stéphane Épardaud
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups
>>> "Quarkus Development mailing list" group.
>>> To unsubscribe from this group and stop receiving emails from it,
>>> send an
>>> email to quarkus-dev...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/quarkus-dev/CAKU9E9suqqMG2axp7Pw_W%3De1ax6j%3DbHTz7-JUvVetRh_SnePxw%40mail.gmail.com

>>> <https://groups.google.com/d/msgid/quarkus-dev/CAKU9E9suqqMG2axp7Pw_W%3De1ax6j%3DbHTz7-JUvVetRh_SnePxw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>


/max
https://xam.dk/about

[George Gastaldi]

I was referring to JSON-B,  not JAXB :)

[Max Rydahl Andersen]

> I was referring to JSON-B, not JAXB :)

ah gah - my bad for mixing up acronyms.

I got it from
https://github.com/FasterXML/jackson-future-ideas/issues/19 which was
about JSON-B
which then linked me to
https://github.com/FasterXML/jackson-module-jaxb-annotations which
brought me to the modules-base.

so yeah - me missing up jaxb and jsonb ....its all just maps of maps
anyway, right ? :)

/max

/max
https://xam.dk/about

[William Burke]

Looking quickly at the PR, this is just documentation right?  No plans on including jackson with resteasy by default right?  I don't want users to have to exclude a dependency in order to use a different json binding library.

On Fri, Nov 13, 2020 at 9:31 AM Guillaume Smet <guillau...@gmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo8Nf571VaF0%2BuProMrZSnmndQetkr5HPGMgU9MYij-NEg%40mail.gmail.com.

[Georgios Andrianakis]

Yes, exactly.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAL%3DE%3DjTR5Y8oNeCBLCKPcEEV782Lrtomid-UFGBvp9-r1mbw7Q%40mail.gmail.com.

[Guillaume Smet]

Yeah, basically my work was:

- documentation change

- update all the quickstarts

- put jackson in front of jsonb on code.quarkus.io

and that's it. No code changes in core.

[Erin Schnabel]

s/default/encouraged/ =)

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo9VptGVLK21DbU7SpvcUZ%2BHSnhcy%3DokbXo_y66AsX6FFA%40mail.gmail.com.

[Hristo Stoyanov]

There may be some additional work to be done with OpenAPI generator project to support this. See this

[Antonio Goncalves]

Hi,

This can be related. Yesterday I created an issue (an enhancement) about RESTAssured not behaving the same way between JSON-B and Jackskon. There is an extra configuration to be done with JSON-B that is not mandatory with Jackson:

https://github.com/quarkusio/quarkus/issues/13459

Antonio

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/35edeec7-7a27-47e5-934d-10f89b49335fn%40googlegroups.com.

--

Antonio Goncalves 
Contractor, Java Champion and Pluralsight author

Blog | Twitter | LinkedIn | Author | Pluralsight | Devoxx France | Voxxed Microservices