Course – LS – NPI (cat=JSON/Jackson)
announcement - icon

Get started with Spring and Spring Boot, through the Learn Spring course:


1. Overview

In this tutorial, we’ll see how we can use Java’s Validation API to validate objects after deserialization.

2. Trigger Validation Manually

Java’s API for bean validation is defined in the JSR 380. A common use of it is @Valid annotated parameters in Spring controllers. However, in this article, we’ll focus on validation outside of controllers.

First, let’s write a method that will validate that the content of an object complies with its validations constraints. To do this, we’ll get the Validator from the default validator factory. Then, we’ll apply the validate() method to the object. This method returns a Set of ConstraintViolation. A ConstraintViolation encapsulates some hints about the validation error. To keep it simple, we’ll just throw a ConstraintViolationException in case any validation problem occurs:

<T> void validate(T t) {
    Set<ConstraintViolation<T>> violations = validator.validate(t);
    if (!violations.isEmpty()) {
        throw new ConstraintViolationException(violations);

If we call this method on an object, it will throw if the object doesn’t respect any validation constraints. This method can be called at any point on an existing object with attached constraints.

3. Incorporate the Validation into the Deserialization Process

Our goal is now to incorporate the validation into the deserialization process. Concretely, we’ll override Jackson‘s deserializer to perform the validation right after the deserialization. This will ensure that any time we deserialize an object, we don’t allow any further treatment if it’s not compliant.

First, we need to override the default BeanDeserializer. A BeanDeserializer is a class that can deserialize objects. We’ll want to call the base deserialization method and then apply our validate() method to the created instance. Our BeanDeserializerWithValidation looks like this:

public class BeanDeserializerWithValidation extends BeanDeserializer {

    protected BeanDeserializerWithValidation(BeanDeserializerBase src) {

    public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
        Object instance = super.deserialize(p, ctxt);
        return instance;


The next step is to implement our own BeanDeserializerModifier. This will allow us to alter the deserialization process with the behavior defined in BeanDeserializerWithValidation:

public class BeanDeserializerModifierWithValidation extends BeanDeserializerModifier {

    public JsonDeserializer<?> modifyDeserializer(DeserializationConfig config, BeanDescription beanDesc, JsonDeserializer<?> deserializer) {
        if (deserializer instanceof BeanDeserializer) {
            return new BeanDeserializerWithValidation((BeanDeserializer) deserializer);

        return deserializer;


Lastly, we need to create an ObjectMapper and register our BeanDeserializerModifier as a Module. A Module is a way to extend Jackson’s default functionalities. Let’s wrap it in a method:

ObjectMapper getObjectMapperWithValidation() {
    SimpleModule validationModule = new SimpleModule();
    validationModule.setDeserializerModifier(new BeanDeserializerModifierWithValidation());
    ObjectMapper mapper = new ObjectMapper();
    return mapper;

4. Example Usage: Read and Validate Object from File

We’ll now showcase a small example of how to use our custom ObjectMapper. First, let’s define a Student object. A Student has a name. The name length must be between 5 and 10 characters:

public class Student {

    @Size(min = 5, max = 10, message = "Student's name must be between 5 and 10 characters")
    private String name;

    public String getName() {
        return name;


Let’s now create a validStudent.json file that contains the JSON representation of a valid Student object:

  "name": "Daniel"

We’ll read the content of this file in an InputStream. First, let’s define the method that parses an InputStream to a Student object and validates it at the same time. For this, we want to use our ObjectMapper:

Student readStudent(InputStream inputStream) throws IOException {
    ObjectMapper mapper = getObjectMapperWithValidation();
    return mapper.readValue(inputStream, Student.class);

We can now write a test in which we’ll:

  • start by reading the content of the file into an InputStream
  • convert the InputStream to a Student object
  • check that the content of the Student object is coherent with what’s expected

This test looks like this:

void givenValidStudent_WhenReadStudent_ThenReturnStudent() throws IOException {
    InputStream inputStream = getClass().getClassLoader().getResourceAsStream(("validStudent.json");
    Student result = readStudent(inputStream);
    assertEquals("Daniel", result.getName());

Similarly, we can create an invalid.json file containing the JSON representation of a Student with a name with less than 5 characters:

  "name": "Max"

Now we need to adapt our test to check that a ConstraintViolationException is indeed thrown. Additionally, we can check that the error message is correct:

void givenStudentWithInvalidName_WhenReadStudent_ThenThrows() {
    InputStream inputStream = getClass().getClassLoader().getResourceAsStream("invalidStudent.json");
    ConstraintViolationException constraintViolationException = assertThrows(ConstraintViolationException.class, () -> readStudent(inputStream));
    assertEquals("name: Student's name must be between 5 and 10 characters", constraintViolationException.getMessage());

5. Conclusion

In this article, we’ve seen how to override Jackson’s configuration to validate an object right after deserializing it. Thus, we can guarantee that it’s impossible to work on an invalid object afterwards.

As always, the associated code is available on GitHub.

Course – LS (cat=JSON/Jackson)
announcement - icon

Get started with Spring Boot and with core Spring, through the Learn Spring course:


res – Jackson (eBook) (cat=Jackson)
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.