Justin Justin - 1 month ago 10
Java Question

Jackson and JsonIgnore to hide secret fields

I'm trying to use a combination of dropwizard + morphia + jackson (dropwizard's default), but I can't get

@JsonIgnore
or
@JsonIgnoreProperties
to work. I've tried
@JsonIgnoreProperties
over the class definition for properties I don't want to be exposed (password and salt) to consumers of my API, I've also tried
@JsonIgnore
over the field declarations themselves as well as over every permutation of getter and setter... Kind of at a loss now.

edit: here's the model:

@Entity(value = "user", noClassnameStored = true)
@Indexes({
@Index(fields = {
@Field(value = "email", type = IndexType.ASC)},
options = @IndexOptions(unique = true, sparse = true)
)
})
public class User {
@Id
private ObjectId id = new ObjectId();
@JsonProperty
private String email;
@JsonProperty
private byte[] password;
@JsonProperty
private byte[] salt = SecurityUtils.getSalt();
@Reference
private Person person = new Person();

public String getId() {
return id.toHexString();
}

public void setId(ObjectId id) {
this.id = id;
}

public String getEmail() {
return email;
}

public void setEmail(String email) {
this.email = email;
}

@JsonIgnore
public byte[] getPassword() {
return password;
}

@JsonIgnore
public void setPassword(String password) {
this.password = SecurityUtils.hashPassword(password.toCharArray(), this.getSalt());
}

@JsonIgnore
public byte[] getSalt() {
return salt;
}

@JsonIgnore
public void setSalt(byte[] salt) {
this.salt = salt;
}

public Person getPerson() {
return person;
}

public void setPerson(Person person) {
this.person = person;
}
}


In addition to the above I've tried defining the class using
@JsonIgnoreProperties({"password", "salt"} public class User...
, as well as having
@JsonIgnore
only over the getters, setters, etc.

I'm using morphia v1.2.1 to persist. Right now I have a basic DAO that's extending morphia's BasicDAO and mostly just proxying at the moment. Can post snippets of that code if it'll help.

Answer

password and salt are both labeled @JsonProperty, which takes precedence over the ignore on the setter and getter. I think if you remove the JsonPropety annotation (or replace it with JsonIgnore), those fields you want ignored will actually be ignored.

Comments