@JsonIgnoreProperties(ignoreUnknown=false) is not working in Spring 4.2.8 and upper version [SPR-15008]

[spring-projects-issues]

Masbha Uddin Ahmed opened SPR-15008 and commented

Recently we have increased our Spring version from 4.0.4 to 4.2.8 and this we have done in order to support MongoDB upgrade to 3.2.x version. After upgrading to latest spring version we have noticed, in all Rest Api's if we pass some invalid inputs along with valid input fields, requests are still getting through and getting 200 response code even though it has invalid fields.

This was working fine in previous Spring version of 4.0.4, where it will throw malformed syntax with 400 response code.

Somehow with recent upgrades of Spring, this feature is not working anymore. We have tried different Spring version in 4.2.x and 4.3.x series, still it is not working as expected.

Please find the example below for understanding on this issue. We need a solution or workaround on this issue as we couldn't figure out what is causing the issue.

Also could you confirm is this a bug in Spring or are we missing anything with Spring upgrade.

@JsonIgnoreProperties(ignoreUnknown=false) is not working with spring 4.2.0 and upper version of spring. But it is working with 4.0.4 and 4.0.1 .

Spring and Jackson dependency we have used,

              <dependency>
			<groupId>com.fasterxml.jackson.core</groupId>
			<artifactId>jackson-databind</artifactId>
			<version>2.6.3</version>
		</dependency>
		<dependency>
			<groupId>com.fasterxml.jackson.core</groupId>
			<artifactId>jackson-core</artifactId>
			<version>2.6.3</version>
		</dependency>
		<dependency>
			<groupId>com.fasterxml.jackson.core</groupId>
			<artifactId>jackson-annotations</artifactId>
			<version>2.6.3</version>
		</dependency> 
               <dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-context</artifactId>
			<version>4.2.8.RELEASE</version>
		</dependency>
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>4.2.8.RELEASE</version>
		</dependency>

If I send json request with invalid fields then it is accepting as a valid request. But it should give the bad request response.

For example:
If I have class

public class Student {
private String id;
private String name;
}

If send valid corresponding json request it should be like

{
"id": "123",
"name": "test"
}

But even if I send json request with invalid fields like below it is still accepting.

{
"id": "123",
"name": "test",
"anyinvalidkey": "test"
}

---

Affects: 4.2.4, 4.2.8

Issue Links:

• Set Jackson FAIL_ON_UNKNOWN_PROPERTIES property to false by default [SPR-11891] #16510 Set Jackson FAIL_ON_UNKNOWN_PROPERTIES property to false by default

[spring-projects-issues]

Masbha Uddin Ahmed commented

Team,
Kindly provide an update on this issue as it is opened for long time.

[spring-projects-issues]

Sébastien Deleuze commented

We deliberately changed Jackson default configuration to DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES = false as of Spring Framework 4.1 as detailed on #16510. See also the related discussion on this jackson issue.

You can easily bring back the old behavior using Jackson2ObjectMapperBuilder, for example if you are using Spring Boot add this bean in your @Configuration:

@Bean
public Jackson2ObjectMapperBuilder mapperBuilder() {
	return new Jackson2ObjectMapperBuilder().failOnUnknownProperties(true);
}

Based on my tests, @JsonIgnoreProperties(ignoreUnknown=false) doesn't seems to be taken in account when the object mapper has a customized DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES configuration. That's indeed surprising, but I don't see what we could do there on Spring Framework side. Maybe you should raise a bug or at least a question on https://github.com/FasterXML/jackson-databind/issues.

Any thoughts?

[spring-projects-issues]

Sébastien Deleuze commented

Resolving this issue as incomplete since no feedback has been provided for a long time and if there is an issue, it seems to be more on Jackson side.

[sabirove]

The reason: FasterXML/jackson-databind#3067

If DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES is disabled JsonIgnoreProperties(ignoreUnknown=false) won't override it!