Imagine a small REST client. You are consuming a “room” resource from some conference API, and you only care about three fields – id, name, and capacity:
public record Room(String id, String name, int capacity) { }
You wire it up with the MicroProfile REST Client:
@RegisterRestClient(baseUri = "https://conf.example.com/api")
public interface RoomsClient {
@GET
@Path("/rooms/{id}")
@Produces(MediaType.APPLICATION_JSON)
Room getById(@PathParam("id") String id);
}
This works fine. Then, a few sprints later, the API team adds building, floor, and accessibility to the room payload. Your DTO still declares three fields. The response now looks like this:
{
"id": "room-7",
"name": "Hall A",
"capacity": 120,
"building": "Main",
"floor": 2,
"accessibility": { "wheelchair": true }
}
The question is simple: what does getById("room-7") do now? And the answer, annoyingly, is that it depends entirely on which JSON provider is doing the deserialization. The MicroProfile REST Client spec does not decide this for you – it delegates the actual JSON binding to whatever provider is on the classpath.
This is worth a whole post because the default behaviour is inconsistent between providers, and the failure shows up at the worst possible time – in production, when someone else’s API changes underneath you.
A JSON library can reasonably do one of two things when it meets a field that has no home in your DTO:
This idea is not something REST people invented later. It goes back to early Internet protocol design: TCP’s robustness principle (overview) says to be conservative in what you send and liberal in what you accept from others. For this particular JSON-client case, the practical reading is simple: if the response gives you all the fields you asked for, extra fields should usually be ignored by the consumer. The modern caveat is important, though: this is not a license to accept malformed or unsafe input. Newer protocol guidance explicitly warns that applying the robustness principle too broadly can create interoperability and security problems.
Neither is wrong. But you really want to know which one you have, because the strict default is the one that turns a backwards-compatible server change into a client-side outage.
💡 Note: “Additive response changes should be safe” is one of the practical compatibility expectations of REST-style JSON APIs. It only holds if your consumers are tolerant readers. A strict deserializer quietly opts you out of that contract.
I have added a small demo to my API Guide for Java repository. The endpoint in UnknownFieldsResource.java serves a deliberately over-stuffed room payload at GET /api/unknown-fields/{id} (the six fields from the introduction), and the Ch7_UnknownFieldsTest unit test shows what each provider does when that payload is mapped onto the three-field Room. Below, I walk through the defaults and the switch that changes each one.
On a typical Jakarta EE / MicroProfile stack without Jackson – think Open Liberty, Helidon, Payara, and friends – JSON mapping is commonly handled through JSON-B. Yasson is the JSON-B reference implementation, and it is also what the demo test uses.
The good news: JSON-B ignores unknown properties by default. The Room record above deserializes happily, building and floor are dropped on the floor, and your client keeps working.
This is not an accident or an implementation detail of Yasson – it is in the spec. The Jakarta JSON Binding specification states that during deserialization, any JSON property that does not map to a class member is ignored.
curl -X GET http://localhost:8080/api/unknown-fields/room-7 \
-H "Accept: application/json"
GET http://localhost:8080/api/unknown-fields/room-7
Accept: application/json
The HTTP endpoint still returns the six-field payload. The important part happens on the client side: JSON-B maps the fields it knows about into Room and ignores building, floor, and accessibility.
✅ Pros:
❌ Cons:
🔍 However: “Lenient by default” is the behaviour you usually want for a consumer. Just be aware it is a deliberate choice – you are trading early failure for compatibility.
The moment you use an unconfigured Jackson mapper or a bare Jackson provider – for example a plain ObjectMapper, resteasy-jackson, or jersey-media-json-jackson without framework-level configuration – the default flips.
Jackson’s ObjectMapper enables DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES by default. An unknown field throws UnrecognizedPropertyException (a subclass of JsonMappingException), which typically surfaces through the REST Client as a response-processing/deserialization failure. Your three-field Room no longer deserializes the six-field payload – it fails.
There are three common ways to make Jackson lenient, from most local to most global:
// 1. Per DTO/type - the local fix:
@JsonIgnoreProperties(ignoreUnknown = true)
public record Room(String id, String name, int capacity) { }
// 2. Per ObjectMapper - the application-wide fix:
ObjectMapper mapper = JsonMapper.builder()
.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES)
.build();
For the MicroProfile REST Client specifically, you’d expose that configured ObjectMapper through a ContextResolver<ObjectMapper> so the client picks it up:
// 3. Hand the configured mapper to the REST Client via a ContextResolver:
@Provider
public class LenientJacksonProvider implements ContextResolver<ObjectMapper> {
private final ObjectMapper mapper = JsonMapper.builder()
.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES)
.build();
@Override
public ObjectMapper getContext(Class<?> type) {
return mapper;
}
}
In a real MicroProfile REST Client, make sure this provider is actually registered with the client, for example with @RegisterProvider, MicroProfile REST Client configuration, or your runtime’s provider discovery mechanism.
The @JsonIgnoreProperties(ignoreUnknown = true) annotation is the one most people reach for first, because it is right next to the DTO and easy to read.
The HTTP call is identical – the difference is entirely server-payload vs. client-config. With strict Jackson and the six-field payload, the response is still valid JSON, but a Jackson-backed client trying to deserialize it into the three-field Room now fails:
curl -X GET http://localhost:8080/api/unknown-fields/room-7 \
-H "Accept: application/json"
✅ Pros:
❌ Cons:
⚠️ Caution: If you consume third-party APIs with raw Jackson defaults, you are one additive change away from an incident. Either set @JsonIgnoreProperties(ignoreUnknown = true) on your DTOs, or disable FAIL_ON_UNKNOWN_PROPERTIES globally – and do it deliberately, not by accident.
Here is where it gets interesting, and where a lot of confusion comes from. Quarkus uses Jackson for a great deal of its JSON handling – but it does not keep Jackson’s strict default.
Quarkus ships with quarkus.jackson.fail-on-unknown-properties=false as its default, which means a Quarkus app with Jackson ignores unknown properties out of the box – the opposite of what you’d get from a bare ObjectMapper. This is documented in the Quarkus Jackson configuration reference and the Quarkus JSON guide.
So the same Jackson library behaves differently depending on whether Quarkus configured it for you or you new-ed up an ObjectMapper yourself. If you want the strict behaviour back, you flip the property:
# application.properties - opt back in to strict deserialization
quarkus.jackson.fail-on-unknown-properties=true
…or override it for a single class with the same @JsonIgnoreProperties annotation from §2.
GET http://localhost:8080/api/unknown-fields/room-7
Accept: application/json
On Quarkus defaults, this succeeds even with the six-field payload, because Quarkus pre-configured Jackson to be lenient.
✅ Pros:
❌ Cons:
ObjectMapper comes from (Quarkus-managed vs. hand-rolled).🧪 Observation: This is a perfect example of why “we use Jackson” is not enough information. The framework around Jackson decides the default, and Quarkus and a plain ObjectMapper land on opposite answers.
Spring Boot ends up in the same place as Quarkus: it uses Jackson, but configures it to be lenient by default. Stock Jackson is strict, but in the current Spring Boot 4.1 reference documentation, spring.jackson.deserialization.fail-on-unknown-properties=false is the documented default, so Spring also ignores unknown fields out of the box.
# application.properties - flip Spring back to strict if you want it
spring.jackson.deserialization.fail-on-unknown-properties=true
So if you’re coming from Spring, the surprise is similar to Quarkus: you are using Jackson, but not stock Jackson defaults.
So far we’ve looked at the client receiving more than it expected. The mirror image is your server receiving a request body with extra fields – a client POSTs more than your endpoint’s DTO declares. The good news is that it is the same providers and the same switches:
UnrecognizedPropertyException unless you set @JsonIgnoreProperties(ignoreUnknown = true) or disable FAIL_ON_UNKNOWN_PROPERTIES.There is one extra wrinkle worth flagging on the server side: silently ignoring unknown fields on input can be a mild security/robustness smell. A client sending fields you don’t recognise might be confused, might be on the wrong API version, or might be probing. Strictness on input is sometimes a feature, not a bug. This is the opposite of what is expected for a consumer.
💡 Note: The mental model is “tolerant on the way in is convenient, strict on the way in is defensive”. You get to choose per endpoint – just choose on purpose.
The table below assumes the six-field JSON payload from the introduction being mapped onto the three-field Room DTO.
| Provider / stack | Default on unknown fields | Result with extra fields | How to flip it |
|---|---|---|---|
| JSON-B / Yasson | Ignore | ✅ Deserializes, extra fields dropped | (Already lenient; strictness needs custom validation/deserialization logic) |
| Jackson (stock) | Fail | ❌ UnrecognizedPropertyException |
@JsonIgnoreProperties(ignoreUnknown=true) or disable the feature |
| Quarkus + Jackson | Ignore | ✅ Deserializes, extra fields dropped | quarkus.jackson.fail-on-unknown-properties=true |
| Spring Boot + Jackson | Ignore | ✅ Deserializes, extra fields dropped | spring.jackson.deserialization.fail-on-unknown-properties=true |
The one row that catches people out is Jackson (stock) – and by extension any MicroProfile REST Client where you added a bare Jackson provider without configuring it.
The MicroProfile REST Client doesn’t have an opinion on unknown fields – it hands that decision to your JSON provider, and the providers don’t agree:
So the practical advice is short. If you’re writing a consumer, you almost certainly want the tolerant-reader behaviour, so additive changes on the server don’t page you at 2am. On JSON-B you already have it. On raw Jackson, add @JsonIgnoreProperties(ignoreUnknown = true) to your DTOs (or disable FAIL_ON_UNKNOWN_PROPERTIES once, globally) and be explicit that you’ve made that choice. And whatever you do, know which default you’re actually running – because “we use Jackson” tells you almost nothing until you also know what configured it.
Unknown fields are one small corner of building REST clients and APIs that survive change. The same API Guide for Java repo covers OpenAPI documentation, error handling, security, pagination, and versioning – see my earlier posts on API versioning in Java using JAX-RS and RFC 9457 Problem Details. The next post in this little run looks at the opposite of returning a byte[]: building an endpoint that accepts binary attachments as part of the payload.
Happy (and tolerant) reading, folks!