Spring Framework Upgrades to Jackson 3
The Spring team has officially announced support for Jackson 3, a major update to the leading JSON library for the JVM. Starting with Spring Boot 4 and Spring Framework 7, Jackson 3 becomes the default, while Jackson 2 is now deprecated. This article explores the key improvements, including enhanced security, the shift to the immutable JsonMapper, the removal of MappingJacksonValue, and new configuration methods using builder interfaces.
A Close Collaboration
Integrating new versions of popular open-source libraries often involves significant collaboration behind the scenes. Jackson 3 is a prime example of this synergy. We want to thank Tatu Saloranta, the Jackson project lead, for being highly receptive to our feedback during the release candidate phase. This partnership led to several key enhancements for the entire community:
- Enabling side-by-side usage of Jackson 2 and Jackson 3
- Establishing JDK 17 as the baseline
- Aligning Jackson and Spring standards for JSON Views
- Improving the non-blocking parser
- Clarifying null-safety handling in the JsonNode API
- Reverting an unpopular default change for
JsonWriteFeature.ESCAPE_FORWARD_SLASHES - Reducing the need for the
@JsonCreatorannotation - Providing a comprehensive Jackson 3 Migration Guide
Support Status in Spring Boot 4
Starting with Spring Boot 4 and Spring Framework 7, the Spring portfolio will:
- Integrate full support for Jackson 3.
- Deprecate Jackson 2 support, with plans for future removal.
- Switch the default classpath-detected version to Jackson 3.
The main exception is Spring AI, which will introduce Jackson 3 support in version 2.0, expected in the first half of 2026.
While applications migrating to Spring Boot 4 are encouraged to upgrade to Jackson 3, using Jackson 2 remains possible. Transitive dependencies that rely on Jackson 2 will continue to be supported and managed.
Migrating to Jackson 3
This section covers the key migration steps for typical Spring Boot applications. For complete details, refer to the official Jackson 3 Migration Guide. Tools like OpenRewrite can help automate the process, while the Spring Application Advisor provides a comprehensive, step-by-step migration path.
Update Packages and Dependencies
The first breaking change you'll encounter is the update to package names and dependency groupID. The new coordinate is tools.jackson, replacing the old com.fasterxml.jackson. The jackson-annotations package is an exception and retains its original name for backward compatibility.
Adapt to New Defaults
Jackson 3 introduces several new default settings. You should either adapt your tests to these new defaults (recommended) or configure Jackson 3 to restore the previous behavior. The changes most likely to affect your tests are:
- Alphabetical Property Sorting:
MapperFeature.SORT_PROPERTIES_ALPHABETICALLYis now enabled by default. This may affect tests that compare serialized JSON output with raw strings. - Date Serialization:
SerializationFeature.WRITE_DATES_AS_TIMESTAMPS(renamed toDateTimeFeature.WRITE_DATES_AS_TIMESTAMPS) is now disabled by default, meaning dates are serialized to the ISO-8601 format instead of numeric timestamps.
If you need to maintain behavior as close to Jackson 2 as possible during the initial migration, you can use the following configuration:
@Bean
JsonMapperBuilderCustomizer jacksonCustomizer() {
return builder -> builder.configureForJackson2();
}From ObjectMapper to JsonMapper
While Jackson 3 introduces many changes, the most significant from a Spring perspective is the shift from the mutable ObjectMapper (Jackson 2) to the immutable JsonMapper (Jackson 3).
JsonMapper is a JSON-specific extension of ObjectMapper, similar to XmlMapper or YAMLMapper. Spring's support has been updated to align with Jackson 3 best practices, now favoring this format-specific variant. With the introduction of a comprehensive JsonMapper.Builder, Spring Framework no longer provides an equivalent to Jackson2ObjectMapperBuilder. Instead, you should use the standard Jackson builder directly.
Before (Spring Boot 3 with Jackson 2):
@Bean
public Jackson2ObjectMapperBuilderCustomizer jacksonCustomizer() {
return builder -> builder.indentOutput(true);
}After (Spring Boot 4 with Jackson 3):
@Bean
JsonMapperBuilderCustomizer jacksonCustomizer() {
return builder -> builder.enable(SerializationFeature.INDENT_OUTPUT);
}Goodbye, MappingJacksonValue
The now-deprecated MappingJackson2HttpMessageConverter extended a base class that couldn't effectively pass serialization hints like a serialization view or FilterProvider. This limitation necessitated the MappingJacksonValue wrapper class. With Spring Framework 7, this is no longer needed.
The new JacksonJsonHttpMessageConverter implements SmartHttpMessageConverter, which fully supports serialization hints. This means you can pass context directly without mutable wrappers.
var user = new User(/* ... */);
// The new approach using RestClient and serialization hints
var response = this.restClient.post()
.uri(http://localhost:8080/create)
.hint(JsonView.class.getName(), Summary.class) // Pass the view directly
.body(user)
.retrieve()
.body(String.class);This modern approach eliminates the need for wrappers, leading to cleaner and more intuitive code.
Impact on Spring Projects
The upgrade to Jackson 3 brings targeted improvements across the Spring ecosystem, from enhanced security defaults to modernized data handling.
Spring Security
Spring Security 7.0 makes Jackson 3 support more secure by default. It disables global default typing, which was a potential security risk, and instead uses a PolymorphicTypeValidator. This validator only permits known Spring Security types by default, and you can explicitly allow your custom types:
ClassLoader loader = getClass().getClassLoader();
BasicPolymorphicTypeValidator.Builder typeValidatorBuilder = BasicPolymorphicTypeValidator.builder()
.allowIfSubType(CustomGrantedAuthority.class);
JsonMapper mapper = JsonMapper.builder()
.addModules(SecurityJacksonModules.getModules(loader, typeValidatorBuilder))
.build();To simplify migration for applications that store Jackson 2 serialized data (e.g., in a database), a Jackson 2 compatibility mode is provided. This allows you to upgrade to Spring Boot 4 and Security 7 while still processing data in the old format using the new Jackson 3 engine.
Spring Data
Spring Data 4.0 provides full Jackson 3 support for its core modules. Although migrating to Jackson 3 is recommended, you can continue using Jackson 2 or even both versions simultaneously. Keep in mind that Jackson 3's new defaults may require migrating existing data or reconfiguring Jackson 3 to match the previous settings.
Spring Data REST is a major consumer of Jackson and does not support Jackson 2. If you plan to use the new version of Spring Data REST, your application must migrate to Jackson 3. This requirement also applies to Spring HATEOAS.
Other modules like Spring Data Couchbase and Elasticsearch, along with certain drivers, still use Jackson 2 internally for parsing and writing JSON but are gradually transitioning. In most cases, this internal usage does not directly affect your application entities.
Conclusion
Jackson 3 brings significant improvements in security, API design, and configuration. However, it also introduces breaking changes that require a thoughtful migration effort.
The Spring team is committed to making this transition as smooth as possible by providing a clear upgrade path, detailed documentation, and extended support for the previous version, giving you ample time to adapt and upgrade your applications.