I have an entity class with a password field:
class User {
private String password;
//setter, getter..
}
I want this field to be skipped during serialization. But it should still be able to deserialize. This is needed, so that the client can send me a new password, but is not able to read the current one.
How do I accomplish this with Jackson?
Aside from @JsonIgnore
, there are a couple of other possibilities:
@JsonIgnoreProperties
on class may be usefulIllustrating what StaxMan has stated, this works for me
private String password;
@JsonIgnore
public String getPassword() {
return password;
}
@JsonProperty
public void setPassword(String password) {
this.password = password;
}
Starting with Jackson 2.6, a property can be marked as read- or write-only. It's simpler than hacking the annotations on both accessors and keeps all the information in one place:
public class User {
@JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
private String password;
}
One should ask why you would want a public getter method for the password. Hibernate, or any other ORM framework, will do with a private getter method. For checking whether the password is correct, you can use
public boolean checkPassword(String password){
return this.password.equals(anyHashingMethod(password));
}
transient
is the solution for me. thanks! it's native to Java and avoids you to add another framework-specific annotation.
The easy way is to annotate your getters and setters.
Here is the original example modified to exclude the plain text password, but then annotate a new method that just returns the password field as encrypted text.
class User {
private String password;
public void setPassword(String password) {
this.password = password;
}
@JsonIgnore
public String getPassword() {
return password;
}
@JsonProperty("password")
public String getEncryptedPassword() {
// encryption logic
}
}
set variable as
@JsonIgnore
This allows variable to get skipped by json serializer
You can mark it as @JsonIgnore
.
With 1.9, you can add @JsonIgnore
for getter, @JsonProperty
for setter, to make it deserialize but not serialize.
Jackson has a class named SimpleBeanPropertyFilter that helps to filter fields during serialization and deserialization; not globally. I think that's what you wanted.
@JsonFilter("custom_serializer")
class User {
private String password;
//setter, getter..
}
Then in your code:
String[] fieldsToSkip = new String[] { "password" };
ObjectMapper mapper = new ObjectMapper();
final SimpleFilterProvider filter = new SimpleFilterProvider();
filter.addFilter("custom_serializer",
SimpleBeanPropertyFilter.serializeAllExcept(fieldsToSkip));
mapper.setFilters(filter);
String jsonStr = mapper.writeValueAsString(currentUser);
This will prevent password
field to get serialized. Also you will be able to deserialize password
fields as it is. Just make sure no filters are applied on the ObjectMapper object.
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(yourJsonStr, User.class); // user object does have non-null password field
Source: Stackoverflow.com