I think it is very meaningful to discuss about the long-term supporting or default serialization protocol of Dubbo3. We are facing many difficulties in Hessian (low community activity and high cost of cross language support, etc.). So I don't think we are able to maintain Hessian for a long time.
Fortunately, the serialization protocol in Dubbo can be flexibly extended. I think it’s a good idea to add the Fastjson2 as an extension. If it proves to be good enough, we can even consider it as the default serialization protocol in the future. But the migration of the serialization protocol is not a simple thing. We need to think about how to reduce the cost on the user’s side. For Fastjson2, I think we need to further evaluate it by focusing on the following points: * Security consideration of both protocol design and implementation * Community activity level, whether or not it will receive long-term support * Current situation and plan of multilingual support * Java specific issues: support of ahead-of-time compilation supported by tools like GraalVM, support of jdk17, etc. Regards, Jun > 2022年6月16日 下午3:34,Albumen Kevin <album...@apache.org> 写道: > > Hello Dubbo Community, > > FASTJSON 2.0 is an important upgrade of the FASTJSON project. The goal is > to provide a high-performance JSON library for the next decade. The same > API supports both JSON/JSONB protocols. JSONPath is a first-class citizen, > supporting full parsing and partial parsing, and supporting Java Server, > client Android, big data scenarios. The current default serialization > protocol of Dubbo is the Hessian protocol, which is unmaintained for a long > time and cannot guarantee future security and compatibility. Therefore, > Dubbo provides FASTJSON 2.0 serialization protocol support to solve the > existing problems, and whether we can consider replacing Dubbo's default > serialization protocol with FASTJSON 2.0. > > # Advantage > > 1. When FASTJSON 2.0 is used as a common tool class, autotype has been > disabled by default, and the default is safe. > 2. The performance of FASTJSON 2.0 has been greatly improved. The > performance is very excellent. Compared with Hessian, the performance has > been greatly improved. In terms of network transmission, the JSONB protocol > has greater data compression than Hessian for complex objects. > 3. FASTJSON 2.0 In the RPC scenario, after the autotype function is turned > on, a relatively complete serialization function can be realized, and it > can cover the scenarios supported by Hessian (same as Hessian, JDK > serialization, etc., in the RPC scenario, it is unavoidable to have any > reverses. Serialization problem, we need to explore a set of mechanisms in > the future to ensure communication security) > 4. FASTJSON 2.0 natively supports JDK 17, and Dubbo can run normally under > JDK 17 without adding any special configuration > 5. FASTJSON 2.0 supports GraalVM Native-Image, JDK14 Record, etc. > > FASTJSON 2.0 是 FASTJSON 项目的重要升级,目标是为下一个十年提供一个高性能的 JSON 库,同一套 API 支持 JSON / > JSONB 两种协议,JSONPath 是一等公民,支持全量解析和部分解析,支持 Java 服务端、客户端 Android、大数据场景。而 Dubbo > 当前的默认序列化协议为 Hessian 协议,存在长时间无人维护的问题,无法为未来的安全性以及兼容性做保障。因此,Dubbo 提供 FASTJSON > 2.0 的序列化协议支持能解决现有的问题,并在我们是否可以考虑 Dubbo 的默认序列化协议替换为 FASTJSON 2.0。 > > # 优势 > > 1. FASTJSON 2.0 作为普通工具类的时候已经在缺省情况下禁用 autotype ,缺省是安全的。 > 2. FASTJSON 2.0 性能有了很大提升,性能非常卓越,较 Hessian 有较大的性能提升,网络传输方面 JSONB 协议较 Hessian > 在复杂对象下有较大的数据压缩 > 3. FASTJSON 2.0 在 RPC 场景下,打开 autotype 功能后,能够实现比较完整的序列化的功能,能够覆盖 Hessian > 所支持的场景(和 Hessian、JDK 序列化等一样,在 RPC 场景下无法避免存在任意反序列化问题,未来需要探索一套机制来保障通信安全) > 4. FASTJSON 2.0 原生支持 JDK 17,Dubbo 可以在不添加任何特殊配置的情况下正常运行在 JDK 17 下 > 5. FASTJSON 2.0 支持 GraalVM Native-Image、JDK14 Record 等 > > Thanks, > Albumen Kevin
