-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@JsonIgnore
no longer works for transient backing fields
#3948
Comments
I think it was a big surprise to find that some users had used No change was made to At this point it is not clear whether it is possible to change behavior to match pre-2.15. EDIT: (18-Jul-2023) Change probably due to fix for #3682: |
@cowtowncoder Is it on the roadmap to fix this in 2.16? Or is enabling |
@cpu-meltdown I have no current plans to change behavior here, although it is possible that with more time (or someone else contributing change) this could be change to work the way it did pre-2.15. Also note that another way that would have avoided the issue is to annotate getter or setter instead of field; that is, move the annotation. So: I would recommend using one of 2 work-arounds at this point since there are no immediate plans of tackling this issue. |
@JsonIgnore
no longer works for transient backing fields
Oh wow. Fix looks very simple, see PR #4048. Wish I could backport to 2.15, but I have a feeling there's non-trivial risk of regression so will merge in 2.16 for 2.16.0. |
nice one 👍🏻 |
It fixes jackson transient serialization bug introduce in 2.15 : FasterXML/jackson-databind#3948 Signed-off-by: Pierre Belloy <p.belloy@axelor.com>
Describe the bug
After upgrading jackson-databind, properties were being exposed after serialization that were set to @JsonIngore and shouldn't be.
Version information
Which Jackson version(s) was this for? 2.15.+ (seeing with both 2.15.0 and 2.15.1)
JDK - Temurin-17.0.6+10
To Reproduce
If you have a way to reproduce this with:
Example unit test showing the issue. If referencing 2.14.+ it works, but fails on these assertions when using 2.15.+:
assertFalse(json.contains("world"));
assertNotEquals(obj1.getDef(), obj2.getDef());
assertNull(obj2.getDef());
Code:
Expected behavior
The test should pass the same as it did with 2.14.+
Additional context
I noticed that using the 2.15.+ version, if I set mapper.configure(MapperFeature.PROPAGATE_TRANSIENT_MARKER, true), it does start working.
Did the default somehow change? This is concerning because usages of the library could start exposing sensitive data that it wasn't in previous versions and this would be unknowingly. Since this is a minor (2.14 -> 2.15) this seems to be a big change that should be saved for a major.
I did verify mapper.isEnabled(MapperFeature.PROPAGATE_TRANSIENT_MARKER) is false in both 2.14 and 2.15, but it seems to be working in 2.14 without needing to set it to true.
The text was updated successfully, but these errors were encountered: