In the old project, multiple JSON libraries were used and there was no unified management. Recently, a new project was started to unify the JSON class library, which will not only reduce the size of jar packages, but also avoid system problems caused by bugs in one class library.
In fact, just a few months ago, due to the FastJson bug, we have fully upgraded the FastJson version. The project now has FastJson, Gson, and Jackson. Although the class library is more, but the use of the scenario is not many, still within the controllable range.
This article highlights some of the research into FastJson, and while the decision was made to force FastJson to be disabled in your project, it’s worth learning about the library before giving up.
FastJson profile
Fastjson is an open source JSON parsing library of Alibaba. It is based on Java language and supports the conversion between JSON-formatted strings and Javabeans. It uses an algorithm that “assumes ordered fast matching” to maximize JSON Parse’s performance.
Because the interface is easy to use, it has been widely used in cache serialization, protocol interaction, Web output and other application scenarios.
A simple example of FastJson
Start with a simple example to demonstrate the use of FastJson. Start by introducing the FastJson class library in your project:
Alibaba </groupId> <artifactId>fastjson</artifactId> <version>1.2.70</version> </dependency>Copy the codeThe version must be above 1.2.70. Why? The previous version had too many bugs.
To define a JavaBean, let’s take User as an example:
public class User {
private String userName;
private int age;
private String address;
// getter/setter
}
Copy the codeExample:
public static void main(String[] args) { String json = "{\"address\":\"Beijing\",\"age\":28,\"user_name\":\"Tom\"}"; // Convert json to JavaBean User User = jsonObject.parseObject (json, user.class); System.out.println(user); // convert JavaBean toJSONString result = jsonobject.tojsonstring (user); System.out.println(result); }Copy the codeIn the example, the JSON string is converted to a User object via parseObject, and then the User object is converted toJSON via the toJSONString method. Is it very convenient to use?
If you find the format “user_name” in the JSON string when constructing JSON, FastJson will bind the underlined key with the hump attribute in JavaBean by default.
Execute the program and print the result:
User(userName=Tom, age=28, address=Beijing)
{"address":"Beijing","age":28,"userName":"Tom"}
Copy the codeSuccessful execution can be seen.
FastJson also has some other common apis, such as:
public static final Object parse(String text); Parse JSON text to JSONObject or JSONArray public static final JSONObject parseObject(String text); Parse JSONObject into JSONObject public static final <T> T parseObject(String text, Class<T> clazz); Parse JSON text into JavaBean public static final JSONArray parseArray(String text); Parse JSONArray public static final <T> List<T> parseArray(String text, Class<T> clazz); Public static final String toJSONString(Object Object); Public static Final String toJSONString(Object Object, Boolean prettyFormat); Public static final Object toJSON(Object javaObject); // Convert javabeans to JSONObject or JSONArray.Copy the codeYou can also convert json strings to JSONArray, JSON strings to Javabeans, JSON string-array types to Javabeans, JavaList to JSONArray, and so on.
Why did you decide to abandon FastJson
As you can see from the examples above, the FastJson API is very simple to use, and its selling point is that it is “fast.”
While there are various online tests that question FastJson’s “speed,” regardless of the testers’ test cases or the environment, FastJson is generally no slower than other frameworks on the market.
So what are the reasons for giving it up?
popularity
First of all, it’s not as popular as we thought. Look at the Maven FastJson reference quantity statistics source (https://mvnrepository.com/) :
You can see that FastJson ranks fourth, behind JSON In Java In third place. If you take into account that most of the country uses Ali mirror, FastJson ranks higher, but there is still a gap compared to Jackson.
Design and code quality
There are probably two reasons why it is not promoted more abroad: promotion (plus English documentation) and code quality.
Foreigners don’t like FastJson because they feel the code quality is not high. There is a related article on Zhihu, although it is about 2016, you can also refer to it (link:www.zhihu.com/question/44…
As for the above reasons, I personally prefer the conclusion of Gao Zan’s answer, “there are many opportunistic ways to achieve the so-called ‘fast’, and they lose the Java features that should be compatible with them, and they are not strict with THE JSON standard”.
Yes, because the library was based on ali’s practice, many of the original designs were not quite standard. And it’s already used so much that it’s hard to change it later. Plus, there are often incompatible upgrades.
Open Issues
While writing this article, I took a look at the Issues of the project on GitHub, and there are a number of Issues that still need to be fixed. And the version is also frequently updated, repair upgrades.
And 1,488 questions are Open! Seeing this, I am really worried. More people using it, more people asking questions, maybe safer in another way, but it’s kind of scary if there are so many problems to solve.
Bug Fix History
At the same time, several FastJson bugs have been discovered recently, and these bugs are related to an AutoType feature in FastJson.
AutoType has been updated in every release from V1.2.59 in July 2019 to V1.2.71 in June 2020.
1.2.59 release, enhance AutoType open security fastjson 1.2.60 release, increased the AutoType blacklist, repair the denial of service security fastjson 1.2.61 release, Add AutoType security blacklist fastjson 1.2.62 release, add AutoType blacklist, enhance date deserialization and JSONPath Fastjson 1.2.66 release, Bug fixes security hardening, and do security hardening, AutoType blacklist fastjson 1.2.68 release, support for GEOJSON, add AutoType blacklist. (A safeMode configuration is introduced. After configuring safeMode, no matter the whitelist or blacklist, autoType is not supported.) Fastjson 1.2.69 release, fix the newly discovered high-risk AutoType switch bypass security vulnerabilities, add AutoType blacklist fastjson 1.2.70 release, improve compatibility, add AutoType blacklistCopy the codeSo what is an AutoType? Why does it lead to bugs?
For JSON frameworks, Java objects can usually be converted to strings based on properties or setter/getter methods. FastJson and Jackson do this by iterating through all getter methods in the class, and Gson does this by reflection iterating over all properties in the class and serializing their values into JSON.
When a class contains an interface (or abstract class), the FastJson serialization removes the subtype, leaving only the interface (abstract class) type, so that the original type cannot be retrieved when deserializing.
For this reason, FastJson introduces AutoType, which records the original type at serialization time.
With autoType, when FastJson deserializes a JSON string, it reads @Type into the content, attempts to deserialize the JSON content into an object, and calls its setter methods. Using this feature, you can construct a JSON string and use @type to specify a library of attack classes that you want to use.
summary
Although there are so many problems, FastJson although FastJson decided to no longer used, but the same as on zhihu netizen said “less temperature almost single-handedly propping up a widely using JSON libraries, and other libraries are almost all rely on a whole team, with this, wen as less” beginner’s mind is not change of ali in early generation of open source “, well-deserved.” FastJson vulnerabilities are still understood and tolerated.
After a lot of research, we decided to disable FastJson.
Program new horizon
\
The public account “program new vision”, a platform for simultaneous improvement of soft power and hard technology, provides massive information
\