spring-projects
Allow Jackson StreamReadConstraints to be configured
Jackson 2.15 (v2.15.0-rc1 is out) has a default set of limits that it applies to inputs. Input Files that breach those limits will cause parse exceptions.
spring-boot will need to consider if those limits are ok or if you need to provide a way to configure the Jackson StreamReadConstraints.
https://javadoc.io/static/com.fasterxml.jackson.core/jackson-core/2.15.0-rc1/com/fasterxml/jackson/core/StreamReadConstraints.html
Thanks for raising this, @pjfanning.
At the ObjectMapper level, which is where Spring Boot operates, I can't quite see how to configure the constraints. As far as I can tell, they have to be configured on a JsonFactoryBuilder that's used to create a JsonFactory which is used in turn to create the ObjectMapper. That JsonFactory should be a MappingJsonFactory which, ideally, should be created with an ObjectMapper. I can't see how to create an ObjectMapper with a custom JsonFactory that itself has been created with that same ObjectMapper.
@cowtowncoder if you have a moment, could you please point us in the right direction here?
Constructing a MappingJsonFactory from an existing ObjectMapper and then trying to override the StreamReadConstraints on the MappingJsonFactory - that is not currently allowed.
I'm not sure if this is something that jackson-databind should have but @cowtowncoder may see differently.
If there is no way for you to refactor your code, you could subclass jackson-databind's MappingJsonFactory and add a method to override the StreamReadConstraints.
@wilkinsona could you highlight some code that you are worried about? I looked at spring-boot and all I can find is lots of code that uses new ObjectMapper().
Instead of new ObjectMapper(), you might find it a good idea to have a common ObjectMapperFactory, so that it easier to replace all the new ObjectMapper() calls with something like ObjectMapperFactory.createObjectMapper().
private static JsonFactory JSON_FACTORY;
// add some code to create JSON_FACTORY with your preferred StreamReadConstraints settings
public static createObjectMapper() {
return JsonMapper.builder(JSON_FACTORY).build();
}
My concern is a general one and doesn't really focus on any specific area of Spring Boot's code. If there's a mechanism in Jackson for configuring the constraints then based on our past experience with configuring Jackson I expect that we'll be able to use it without too much difficulty. It's a configuration mechanism that's similar to what Jackson offers in various other areas that I am looking for.
If there is one area that's likely to be of specific concern it is in and around org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration. This auto-configuration applies the user's spring.jackson.* application properties and makes extensive use of Spring Framework's Jackson2ObjectMapperBuilder to do so. If the constraints need to be configurable, some new spring.jackson.* properties would be the obvious way for users to do so. I don't yet see how we could apply those properties to either a new or an existing ObjectMapper instance.
Jackson is moving towards making Object Mappers immutable. You may need to rethink the idea of reconfiguring at that level. Factories and Builders are where Jackson config happens or that's where things are moving.
Ok, while @pjfanning is correct in that we are moving to Builder-based configuration, there does need to be some support for old-style direct configuration for compatibility reasons. For new functionality this may not be needed but for StreamReadConstraints we do need something, I think. Jackson 3.x (only) will offer/require full immutability; before that there is just availability of Builders with only partial benefits.
I will file a jackson-core issue to make sure there is actually a way to directly set configuration via JsonFactory -- I do believe that it is impractical to expect frameworks to switch to Builder-style construction (and more importantly, exposing that to their users) mid-Jackson-2.x
EDIT: created https://github.com/FasterXML/jackson-core/issues/962
Thank you @pjfanning for due diligency here: I think this is something that must be resolved for 2.15.0 final & is a good catch now (instead of after release).
@wilkinsona I did add the obvious 2.x, non-builder mechanism (see https://github.com/FasterXML/jackson-core/issues/962), that is, JsonFactory.setStreamReadConstraints(). It will be in 2.15.0-rc2. Thank you for outlining this obvious (in hindsight, although I really should have seen it ahead of time too) gap.
As usual, help by Spring Boot team is much appreciated: as much as I want 2.15.0 to get done ASAP, I want to also avoid rushing and breaking existing usage by valued user communities.
With the new setter, it'll be possible for someone to configure the constraints in a Spring Boot application without requiring any changes in Boot:
@Bean
Jackson2ObjectMapperBuilderCustomizer customStreamReadConstraints() {
return (builder) -> builder.postConfigurer((objectMapper) -> objectMapper.getFactory()
.setStreamReadConstraints(StreamReadConstraints.builder().maxNestingDepth(2000).build()));
}
This will ensure that any ObjectMapper created through the auto-configured Jackson2ObjectMapperBuilder will have a max nesting depth of 2000. We can still consider adding some configuration properties for the three constraints if tuning them is a common requirement.
We've added a Jackson2ObjectMapperBuilderCustomizer to modify the max string length like @wilkinsona mentioned but we're not seeing this reflected in our tests that use an injected ObjectMapper. We've also tried using StreamReadConstraints.overrideDefaultStreamReadConstraints to force override at application startup, but again, no luck. Still hitting the 20,000,000 limit.
@Configuration
public class JacksonConfig {
@Bean
Jackson2ObjectMapperBuilderCustomizer customStreamReadConstraints() {
return (builder) -> builder.postConfigurer((objectMapper) -> objectMapper.getFactory()
.setStreamReadConstraints(StreamReadConstraints.builder().maxStringLength(100000000).build()));
}
}
public static void main(String[] args) {
StreamReadConstraints.overrideDefaultStreamReadConstraints(
StreamReadConstraints.builder().maxStringLength(100000000).build()
);
SpringApplication.run(ApiApplication.class, args);
}
The only way I could get this to work was to override the defaults in a static context, e.g.
@Configuration
public class JacksonConfig {
static {
StreamReadConstraints.overrideDefaultStreamReadConstraints(
StreamReadConstraints.builder().maxStringLength(100000000).build()
);
}
}
@jamesdh I can't reproduce the behaviour you've described in either case. If overrideDefaultStreamReadConstraints is not working, it sounds like something else is configuring the constraints and preventing the overridden defaults from taking effect. Please follow up with a question on Stack Overflow that includes a minimal example that reproduces the problem.
@wilkinsona I got overrideDefaultStreamReadConstraints working but had to call it from a static context. I guess that implies some other bean/config in a 3rd party dependency could be at cause? We have nothing else in our code that touches the ObjectMapper config.
It's really a Jackson question, but as far as I know changes to the defaults should affect every com.fasterxml.jackson.core.JsonFactory that's created thereafter. As I said above, please follow up on Stack Overflow as this issue isn't that right place for this.
I think this issue should be closed as the original change was done.
And if there are follow-up issues, file issue in appropriate place(s).
I'd like to keep the issue open to see if there's sufficient interest in some spring.jackson.* configuration properties for configuring the constraints. In the meantime, using a customizer or an early call to StreamReadConstraints.overrideDefaultStreamReadConstraints remains the recommended approach.
We just ran into this situation. Received a constraints limit reached. It would be nice to be able to set this via properties as most of the configuration we do is via those properties.
Jackson does not offer much any global configutation, by design -- it is typically embedded as a component so global configuration tends to break usage in unintended places.
So no support for property configuration will be added on Jackson side.
EDIT: please disregard, as per @wilkinsona comment I was confused about question; not related to Jackson side. Spring definitely has lots of relevant configurability.
@cowtowncoder, I assume @jjstreet was referring to Spring Boot properties. We already provide several for configuring an ObjectMapper instance and could add to them to provide property-based configuration for its stream read constraints.
@wilkinsona Thank you for pointing this out -- yeah I should pay attention to where issue exists, not just look at title & update :)
@cowtowncoder, I assume @jjstreet was referring to Spring Boot properties. We already provide several for configuring an
ObjectMapperinstance and could add to them to provide property-based configuration for its stream read constraints.
It would be quite useful. I keep hitting certain limits every now and then. Copying the same configuration class to every microservice is quite suboptimal. Releasing a jar that has the ability to enable the configuration via properties and including it as a dependency in every app is even more problematic.
I will say that we were able to route around the stream limit constraints by using the suggested customizer class.
Where would such a property exist? spring.jackson.deserialization.*?
I'm not sure but it couldn't be a spring.jackson.deserialization property as they're a Map<DeserializationFeature, Boolean>. We'll have to give it some thought.
The only way I could get this to work was to override the defaults in a static context, e.g.
@Configuration public class JacksonConfig { static { StreamReadConstraints.overrideDefaultStreamReadConstraints( StreamReadConstraints.builder().maxStringLength(100000000).build() ); } }
This works to allow larger string/json as input
Hi all, so for what I'm understanding, me that having many springboot 3.2.x so with jackson 2.15.4, there is no spring.jackson property currently available to increase that limit of 20MB? I've reached that limit with some email for that I need to post its content.
So the only solution is to modify the ObjectMapper? Thank you for the confirmation
Hi @rgambelli
So the only solution is to modify the ObjectMapper? Thank you for the confirmation
Yes
there is no spring.jackson property currently available to increase that limit of 20MB?
There is no spring.jackson.* properties at the moment to configure StreamReadConstraints.
You can use the following configuration to modify StreamReadConstraints.
import com.fasterxml.jackson.core.StreamReadConstraints;
import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration(proxyBeanMethods = false)
public class JacksonConfiguration {
@Bean
Jackson2ObjectMapperBuilderCustomizer streamReadConstaintsCustomizer() {
return (builder) -> builder.postConfigurer((objectMapper) -> objectMapper.getFactory()
.setStreamReadConstraints(StreamReadConstraints.defaults()
.rebuild()
.maxDocumentLength()
.maxStringLength()
.maxNameLength()
.maxNestingDepth()
.maxTokenCount()
.build()));
}
}
}
Sorry @nosan I'm trying with your class, I can confirm debugging that the flow goes through that builder but the issue is not fixed.
In this screenshot you can see the org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter class and as you can see the default objectmapper is selected nevertheless its stream read constraints are not changed according to the configuration.
I'm using springboot 3.2.4, thanks for your help
I don't understand the StreamReadConstraints that @nosan 's example creates. It appears to create a default constraints instance with the default limits. These default limits can be too low.
@rgambelli
I've tested the StreamReadConstraints customizer with a small application, and everything works as expected.
The sample application can be downloaded using this link: gh-34709.zip
:: Spring Boot :: (v3.2.4)
2025-03-26T20:31:13.770+02:00 INFO 75386 --- [gh-34709] [ Test worker] task.gh34709.Gh34709ApplicationTest : Starting Gh34709ApplicationTest using Java 17.0.13 with PID 75386 (started by dmytronosan in /Users/dmytronosan/IdeaProjects/gh-34709)
2025-03-26T20:31:13.770+02:00 INFO 75386 --- [gh-34709] [ Test worker] task.gh34709.Gh34709ApplicationTest : No active profile set, falling back to 1 default profile: "default"
2025-03-26T20:31:14.086+02:00 INFO 75386 --- [gh-34709] [ Test worker] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port 0 (http)
2025-03-26T20:31:14.091+02:00 INFO 75386 --- [gh-34709] [ Test worker] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2025-03-26T20:31:14.091+02:00 INFO 75386 --- [gh-34709] [ Test worker] o.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/10.1.19]
2025-03-26T20:31:14.116+02:00 INFO 75386 --- [gh-34709] [ Test worker] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2025-03-26T20:31:14.116+02:00 INFO 75386 --- [gh-34709] [ Test worker] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 339 ms
2025-03-26T20:31:14.241+02:00 INFO 75386 --- [gh-34709] [ Test worker] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port 58741 (http) with context path ''
2025-03-26T20:31:14.245+02:00 INFO 75386 --- [gh-34709] [ Test worker] task.gh34709.Gh34709ApplicationTest : Started Gh34709ApplicationTest in 0.565 seconds (process running for 0.955)
2025-03-26T20:31:14.650+02:00 INFO 75386 --- [gh-34709] [o-auto-1-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2025-03-26T20:31:14.650+02:00 INFO 75386 --- [gh-34709] [o-auto-1-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2025-03-26T20:31:14.651+02:00 INFO 75386 --- [gh-34709] [o-auto-1-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 0 ms
2025-03-26T20:31:14.670+02:00 WARN 75386 --- [gh-34709] [o-auto-1-exec-1] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Depth (65) exceeds the maximum allowed nesting depth (64)]