=========================== Java To Json =============================
一,setCycleDetectionStrategy 防止自包含
-
-
-
- public static void testCycleObject() {
- CycleObject object = new CycleObject();
- object.setMemberId("yajuntest");
- object.setSex("male");
- JsonConfig jsonConfig = new JsonConfig();
- jsonConfig.setCycleDetectionStrategy(CycleDetectionStrategy.LENIENT);
-
- JSONObject json = JSONObject.fromObject(object, jsonConfig);
- System.out.println(json);
- }
-
- public static void main(String[] args) {
- JsonTest.testCycleObject();
- }
/**
* 这里测试如果含有自包含的时候需要CycleDetectionStrategy
*/
public static void testCycleObject() {
CycleObject object = new CycleObject();
object.setMemberId("yajuntest");
object.setSex("male");
JsonConfig jsonConfig = new JsonConfig();
jsonConfig.setCycleDetectionStrategy(CycleDetectionStrategy.LENIENT);
JSONObject json = JSONObject.fromObject(object, jsonConfig);
System.out.println(json);
}
public static void main(String[] args) {
JsonTest.testCycleObject();
}
其中 CycleObject.java是我自己写的一个类:
-
public class CycleObject {
-
- private String memberId;
- private String sex;
- private CycleObject me = this;
- ……
- }
public class CycleObject {
private String memberId;
private String sex;
private CycleObject me = this;
…… // getters && setters
}
输出 {"sex":"male","memberId":"yajuntest","me":null}
二,setExcludes:排除需要序列化成json的属性
-
public static void testExcludeProperites() {
- String str = "{'string':'JSON', 'integer': 1, 'double': 2.0, 'boolean': true}";
- JsonConfig jsonConfig = new JsonConfig();
- jsonConfig.setExcludes(new String[] { "double", "boolean" });
- JSONObject jsonObject = (JSONObject) JSONSerializer.toJSON(str, jsonConfig);
- System.out.println(jsonObject.getString("string"));
- System.out.println(jsonObject.getInt("integer"));
- System.out.println(jsonObject.has("double"));
- System.out.println(jsonObject.has("boolean"));
- }
-
- public static void main(String[] args) {
- JsonTest.testExcludeProperites();
- }
public static void testExcludeProperites() {
String str = "{'string':'JSON', 'integer': 1, 'double': 2.0, 'boolean': true}";
JsonConfig jsonConfig = new JsonConfig();
jsonConfig.setExcludes(new String[] { "double", "boolean" });
JSONObject jsonObject = (JSONObject) JSONSerializer.toJSON(str, jsonConfig);
System.out.println(jsonObject.getString("string"));
System.out.println(jsonObject.getInt("integer"));
System.out.println(jsonObject.has("double"));
System.out.println(jsonObject.has("boolean"));
}
public static void main(String[] args) {
JsonTest.testExcludeProperites();
}
三,setIgnoreDefaultExcludes
-
@SuppressWarnings("unchecked")
- public static void testMap() {
- Map map = new HashMap();
- map.put("name", "json");
- map.put("class", "ddd");
- JsonConfig config = new JsonConfig();
- config.setIgnoreDefaultExcludes(true);
- JSONObject jsonObject = JSONObject.fromObject(map,config);
- System.out.println(jsonObject);
-
- }
上面的代码会把name 和 class都输出。
而去掉setIgnoreDefaultExcludes(true)的话,就只会输出name,不会输出class。
-
private static final String[] DEFAULT_EXCLUDES = new String[] { "class", "declaringClass",
- "metaClass" };
四,registerJsonBeanProcessor 当value类型是从java的一个bean转化过来的时候,可以提供自定义处理器
-
public static void testMap() {
- Map map = new HashMap();
- map.put("name", "json");
- map.put("class", "ddd");
- map.put("date", new Date());
- JsonConfig config = new JsonConfig();
- config.setIgnoreDefaultExcludes(false);
- config.registerJsonBeanProcessor(Date.class,
- new JsDateJsonBeanProcessor());
- JSONObject jsonObject = JSONObject.fromObject(map, config);
- System.out.println(jsonObject);
- }
public static void testMap() {
Map map = new HashMap();
map.put("name", "json");
map.put("class", "ddd");
map.put("date", new Date());
JsonConfig config = new JsonConfig();
config.setIgnoreDefaultExcludes(false);
config.registerJsonBeanProcessor(Date.class,
new JsDateJsonBeanProcessor()); // 当输出时间格式时,采用和JS兼容的格式输出
JSONObject jsonObject = JSONObject.fromObject(map, config);
System.out.println(jsonObject);
}
注:JsDateJsonBeanProcessor 是json-lib已经提供的类,我们也可以实现自己的JsonBeanProcessor。
五,registerJsonValueProcessor
六,registerDefaultValueProcessor
为了演示,首先我自己实现了两个 Processor
一个针对Integer
-
public class MyDefaultIntegerValueProcessor implements DefaultValueProcessor {
-
- public Object getDefaultValue(Class type) {
- if (type != null && Integer.class.isAssignableFrom(type)) {
- return Integer.valueOf(9999);
- }
- return JSONNull.getInstance();
- }
-
- }
public class MyDefaultIntegerValueProcessor implements DefaultValueProcessor {
public Object getDefaultValue(Class type) {
if (type != null && Integer.class.isAssignableFrom(type)) {
return Integer.valueOf(9999);
}
return JSONNull.getInstance();
}
}
一个针对PlainObject(我自定义的类)
-
public class MyPlainObjectProcessor implements DefaultValueProcessor {
-
- public Object getDefaultValue(Class type) {
- if (type != null && PlainObject.class.isAssignableFrom(type)) {
- return "美女" + "瑶瑶";
- }
- return JSONNull.getInstance();
- }
- }
public class MyPlainObjectProcessor implements DefaultValueProcessor {
public Object getDefaultValue(Class type) {
if (type != null && PlainObject.class.isAssignableFrom(type)) {
return "美女" + "瑶瑶";
}
return JSONNull.getInstance();
}
}
以上两个类用于处理当value为null的时候该如何输出。
还准备了两个普通的自定义bean
PlainObjectHolder:
-
public class PlainObjectHolder {
-
- private PlainObject object;
- private Integer a;
-
- public PlainObject getObject() {
- return object;
- }
-
- public void setObject(PlainObject object) {
- this.object = object;
- }
-
- public Integer getA() {
- return a;
- }
-
- public void setA(Integer a) {
- this.a = a;
- }
-
- }
public class PlainObjectHolder {
private PlainObject object; // 自定义类型
private Integer a; // JDK自带的类型
public PlainObject getObject() {
return object;
}
public void setObject(PlainObject object) {
this.object = object;
}
public Integer getA() {
return a;
}
public void setA(Integer a) {
this.a = a;
}
}
PlainObject 也是我自己定义的类
-
public class PlainObject {
-
- private String memberId;
- private String sex;
-
- public String getMemberId() {
- return memberId;
- }
-
- public void setMemberId(String memberId) {
- this.memberId = memberId;
- }
-
- public String getSex() {
- return sex;
- }
-
- public void setSex(String sex) {
- this.sex = sex;
- }
-
- }
public class PlainObject {
private String memberId;
private String sex;
public String getMemberId() {
return memberId;
}
public void setMemberId(String memberId) {
this.memberId = memberId;
}
public String getSex() {
return sex;
}
public void setSex(String sex) {
this.sex = sex;
}
}
A,如果JSONObject.fromObject(null) 这个参数直接传null进去,json-lib会怎么处理:
-
public static JSONObject fromObject( Object object, JsonConfig jsonConfig ) {
- if( object == null || JSONUtils.isNull( object ) ){
- return new JSONObject( true );
public static JSONObject fromObject( Object object, JsonConfig jsonConfig ) {
if( object == null || JSONUtils.isNull( object ) ){
return new JSONObject( true );
看代码是直接返回了一个空的JSONObject,没有用到任何默认值输出。
B,其次,我们看如果java对象直接是一个JDK中已经有的类(什么指 Enum,Annotation,JSONObject,DynaBean,JSONTokener,JSONString,Map,String,Number,Array),但是值为null ,json-lib如何处理
JSONObject.java
-
}else if( object instanceof Enum ){
- throw new JSONException( "'object' is an Enum. Use JSONArray instead" );
- }else if( object instanceof Annotation || (object != null && object.getClass()
- .isAnnotation()) ){
- throw new JSONException( "'object' is an Annotation." );
- }else if( object instanceof JSONObject ){
- return _fromJSONObject( (JSONObject) object, jsonConfig );
- }else if( object instanceof DynaBean ){
- return _fromDynaBean( (DynaBean) object, jsonConfig );
- }else if( object instanceof JSONTokener ){
- return _fromJSONTokener( (JSONTokener) object, jsonConfig );
- }else if( object instanceof JSONString ){
- return _fromJSONString( (JSONString) object, jsonConfig );
- }else if( object instanceof Map ){
- return _fromMap( (Map) object, jsonConfig );
- }else if( object instanceof String ){
- return _fromString( (String) object, jsonConfig );
- }else if( JSONUtils.isNumber( object ) || JSONUtils.isBoolean( object )
- || JSONUtils.isString( object ) ){
- return new JSONObject();
- }else if( JSONUtils.isArray( object ) ){
- throw new JSONException( "'object' is an array. Use JSONArray instead" );
- }else{
}else if( object instanceof Enum ){
throw new JSONException( "'object' is an Enum. Use JSONArray instead" ); // 不支持枚举
}else if( object instanceof Annotation || (object != null && object.getClass()
.isAnnotation()) ){
throw new JSONException( "'object' is an Annotation." ); // 不支持 注解
}else if( object instanceof JSONObject ){
return _fromJSONObject( (JSONObject) object, jsonConfig );
}else if( object instanceof DynaBean ){
return _fromDynaBean( (DynaBean) object, jsonConfig );
}else if( object instanceof JSONTokener ){
return _fromJSONTokener( (JSONTokener) object, jsonConfig );
}else if( object instanceof JSONString ){
return _fromJSONString( (JSONString) object, jsonConfig );
}else if( object instanceof Map ){
return _fromMap( (Map) object, jsonConfig );
}else if( object instanceof String ){
return _fromString( (String) object, jsonConfig );
}else if( JSONUtils.isNumber( object ) || JSONUtils.isBoolean( object )
|| JSONUtils.isString( object ) ){
return new JSONObject(); // 不支持纯数字
}else if( JSONUtils.isArray( object ) ){
throw new JSONException( "'object' is an array. Use JSONArray instead" ); //不支持数组,需要用JSONArray替代
}else{
根据以上代码,主要发现_fromMap是不支持使用DefaultValueProcessor 的。
原因看代码:
JSONObject.java
-
if( value != null ){
- JsonValueProcessor jsonValueProcessor = jsonConfig.findJsonValueProcessor(
- value.getClass(), key );
- if( jsonValueProcessor != null ){
- value = jsonValueProcessor.processObjectValue( key, value, jsonConfig );
- if( !JsonVerifier.isValidJsonValue( value ) ){
- throw new JSONException( "Value is not a valid JSON value. " + value );
- }
- }
- setValue( jsonObject, key, value, value.getClass(), jsonConfig );
if( value != null ){ //大的前提条件,value不为空
JsonValueProcessor jsonValueProcessor = jsonConfig.findJsonValueProcessor(
value.getClass(), key );
if( jsonValueProcessor != null ){
value = jsonValueProcessor.processObjectValue( key, value, jsonConfig );
if( !JsonVerifier.isValidJsonValue( value ) ){
throw new JSONException( "Value is not a valid JSON value. " + value );
}
}
setValue( jsonObject, key, value, value.getClass(), jsonConfig );
-
private static void setValue( JSONObject jsonObject, String key, Object value, Class type,
- JsonConfig jsonConfig ) {
- boolean accumulated = false;
- if( value == null ){
- value = jsonConfig.findDefaultValueProcessor( type )
- .getDefaultValue( type );
- if( !JsonVerifier.isValidJsonValue( value ) ){
- throw new JSONException( "Value is not a valid JSON value. " + value );
- }
- }
- ……
private static void setValue( JSONObject jsonObject, String key, Object value, Class type,
JsonConfig jsonConfig ) {
boolean accumulated = false;
if( value == null ){ // 当 value为空的时候使用DefaultValueProcessor
value = jsonConfig.findDefaultValueProcessor( type )
.getDefaultValue( type );
if( !JsonVerifier.isValidJsonValue( value ) ){
throw new JSONException( "Value is not a valid JSON value. " + value );
}
}
……
根据我的注释, 上面的代码显然是存在矛盾。
_fromDynaBean是支持DefaultValueProcessor的和下面的C是一样的。
C,我们看如果 java 对象是自定义类型的,并且里面的属性包含空值(没赋值,默认是null)也就是上面B还没贴出来的最后一个else
-
else {return _fromBean( object, jsonConfig );}
else {return _fromBean( object, jsonConfig );}
我写了个测试类:
-
public static void testDefaultValueProcessor() {
- PlainObjectHolder holder = new PlainObjectHolder();
- JsonConfig config = new JsonConfig();
- config.registerDefaultValueProcessor(PlainObject.class,
- new MyPlainObjectProcessor());
- config.registerDefaultValueProcessor(Integer.class,
- new MyDefaultIntegerValueProcessor());
- JSONObject json = JSONObject.fromObject(holder, config);
- System.out.println(json);
- }
public static void testDefaultValueProcessor() {
PlainObjectHolder holder = new PlainObjectHolder();
JsonConfig config = new JsonConfig();
config.registerDefaultValueProcessor(PlainObject.class,
new MyPlainObjectProcessor());
config.registerDefaultValueProcessor(Integer.class,
new MyDefaultIntegerValueProcessor());
JSONObject json = JSONObject.fromObject(holder, config);
System.out.println(json);
}
这种情况的输出值是 {"a":9999,"object":"美女瑶瑶"}
即两个Processor都起作用了。
========================== Json To Java ===============
一,ignoreDefaultExcludes
-
public static void json2java() {
- String jsonString = "{'name':'hello','class':'ddd'}";
- JsonConfig config = new JsonConfig();
- config.setIgnoreDefaultExcludes(true);
- JSONObject json = (JSONObject) JSONSerializer.toJSON(jsonString,config);
- System.out.println(json);
- }
public static void json2java() {
String jsonString = "{'name':'hello','class':'ddd'}";
JsonConfig config = new JsonConfig();
config.setIgnoreDefaultExcludes(true); // 与JAVA To Json的时候一样,不设置class属性无法输出
JSONObject json = (JSONObject) JSONSerializer.toJSON(jsonString,config);
System.out.println(json);
}
========================== JSON 输出的安全问题 ===============
我们做程序的时候主要是使用 Java To Json的方式,下面描述的是 安全性问题:
-
@SuppressWarnings("unchecked")
- public static void testSecurity() {
- Map map = new HashMap();
- map.put("\"}<IMG src='x.jpg' onerror=javascript:alert('说了你不要进来') border=0> {", "");
- JSONObject jsonObject = JSONObject.fromObject(map);
- System.out.println(jsonObject);
- }
-
public static void main(String[] args) {
- JsonTest.testSecurity();
- }
public static void main(String[] args) {
JsonTest.testSecurity();
}
输出的内容:
|
{"\"}<IMG src='x.jpg' onerror=javascript:alert('说了你不要进来') border=0> {":"" } |
如果把这段内容直接贴到记事本里面,命名为 testSecu.html ,然后用浏览器打开发现执行了其中的 js脚本。这样就容易产生XSS安全问题。
