May 16, 2025 • 10 mins
In this episode, we dive into three key updates from the world of Java development and emerging tech standards:
-
First, walk through a new feature in the Neo4j Java driver (v5.28.5) that enables lightweight object mapping. I’ve set up a sample code repository showcasing how to return Cypher query results directly into your Java domain objects—no full-blown OGM needed. It’s a big improvement, but with a few gotchas you’ll want to understand.
-
Next, we take a look at Jackson Jr, a lightweight version of the popular Jackson library. If you're working in resource-constrained environments or want faster startup times, this stripped-down data processor might be just what your project needs.
-
Finally, we revisit Model Context Protocol (MCP) security, following up on concerns raised in Episode 42. I share two recent articles that highlight current security limitations in MCP and practical tips for developers looking to build safely with it today, even before full support matures.
Whether you're optimizing your Java stack or exploring AI protocols, there’s something in this episode for you.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:05):
You are listening to the BreaktimeTech Talks podcast, a bite-sized tech
podcast for busy developers where we'llbriefly cover technical topics, new
snippets, and more in short time blocks.
I'm your host, Jennifer Reif, anavid developer and problem solver
with special interest in datalearning and all things technology.
(00:25):
This week I put together a code sampleon a new feature for working with Neo4j
and Java, and a colleague sent alongan exciting Jackson library discovery.
Then I came across a couple of articlesthat follow up on MCP's current
security gaps and how developerscan utilize the technology safely.
First up though, I had mentioned in aprevious episode that Neo4j Java driver
(00:48):
has a new object mapping feature.
I had mentioned, I talked a littlebit about it then, but I wanted
to put together a code repositoryand some content around that.
I was able to now get the code repositoryup and running, and my thoughts on this
feature are that it's really awesome.
Used to, when you would use the Neo4j Javadriver, it would return raw map results
(01:12):
that didn't map to your domain classes.
I thought this was a little oddwhen I first came across this.
What do you mean?
We have a Java programming languagethat we're using, and we can't map our
entities we're getting back from ourdatabase to our Java objects, right?
That's kind of a, seems like a verynatural thing that Java developers
(01:32):
would wanna do since it's an objectoriented programming language.
However, used to you couldn't.
You would get these raw maps back, andyou would have to convert those, do
that object graph mapping very manually.
Now, however, with the Neo4j, Javadriver 5.28.5, it now will map to
your domain objects in your Javaapplication, which is really, really nice.
(01:57):
I played around with this.
Like I said, I have a code repositoryout there now that showcases this.
The thing that I came across that isdifferent from other solutions that I've
seen in the past is that you still needto return the object, the whole object
that you want from the Cypher query.
So you will have to construct thereturn results from the Cypher query
(02:17):
to map those back to your domain.
It's not a full on OGM solution.
And the feature even says this.
If you need a full object graph mappersolution, something like the Neo4jOGM
library that's available with Javaand spring, would be the way to go.
But just the kind of basic objectmapping, I want to return results
(02:39):
from the database, I wanna map it tomy plain old Java objects in my Java
application, that is now possible and itworks really well and is really slick.
Just be aware that whatever you returnfrom the database, you'll have to kind
of coax it into a format that matchesyour Java domain inside your application.
What I mean by this is that youcan't return nodes and relationships
(03:02):
separately from the query if youwant to map those as connected
entities within your application.
For instance, in a typical Java objectoriented domain set up, you would have two
separate entities and you would connectthose via a property inside one that
references the other domain entity, right?
(03:24):
So for instance, for book andauthor, you would have a book entity.
You would reference another separateauthor entity as a field inside your book
entity, and that links the two together.
With the Java driver new feature nowfor object mapping, when you return
the Cypher query, you can't just returnbooks and authors as separate entities.
(03:45):
Again, it's not a full OGM solution.
It doesn't automatically map thoseback to your domain, model, if
you will, inside your application.
But what you would need to do is returnbooks and then collect the related
author objects into a field in the bookobject coming back from your query.
And then it sees that nested structureand it maps that right back to your
(04:08):
Java domain nested structure as well.
As long as those two match,it works really smoothly.
So just be aware of that.
I will link the sample GitHub repositorywhere you can see all of this, and I
will be working on a blog post as well,but it's just not quite ready to go yet.
Then the next thing that I came acrossthis week was a colleague sent along a
repository of a smaller, lighter renditionof Jackson for certain use cases.
(04:31):
I'll link that repositoryin the show notes as well.
First of all, if you're notfamiliar, what is Jackson?
It is a Java library that contains asuite of data processing tools for Java.
It takes a variety of differentformats of data and helps you process
it and work with it and manipulateit inside your Java application.
(04:53):
The Jackson flagship component, if youwill, is their JSON Parser and Generator.
This is the thing that they'reknown for the best, working with
JSON and helping you serialize anddeserialize it, inside and outside,
outside of your Java application.
However, if you peek at the GitHubrepository for Jackson, the initial core
library, you'll see all the differentdata formats and things that are included.
(05:16):
So they take lots of other types ofdata formats as well, not just JSON.
It's just JSON's whatthey're most famous for.
The whole repository, if youwill, the library dependency
and so on, is very large.
The downside of that is thatit ends up being a very large
dependency with potentiallyunneeded pieces or sub dependencies.
For instance, if you're wanting to justparse JSON, then you're not using all of
(05:38):
the other capabilities that are bundledand available within that large library.
So, what the new lighter, smallerrendition of Jackson is, it's called
Jackson, Jr. What it does is that it isa kind of slim down trim version of this.
And the library positions itself asvery helpful when the size of the jar
(05:59):
matters, so the package, the wholeJava application package, or when your
startup time for the application matters.
If you want those to be really, reallysmall, then this Jackson Junior Library
might be a great option for you.
I have not had a chance to playwith this Jackson Junior yet,
but I know several colleagues whoare already working with this and
incorporating it into their projects.
And I hope to explore itsometime in the future as well.
(06:22):
The content pieces I want tolook at today, and yes, I said
pieces, there's more than one.
There's two.
However, they both kind of pile onto atopic we've already discussed in the past.
So if you remember from episode 42 ofthis podcast, I referenced an MCP or
Model context protocol blog post, andone of the current limitations that was
(06:43):
outlined in that blog post was security.
Both of the articles that I cameacross focus on this aspect of MCP
and some things that developers can doto help combat some of these issues.
I will also add a caveat that botharticles are from vendors, so they
recommend very specific productsto help solve these problems.
So just so you're aware, they arecoming from vendor specific viewpoints.
(07:05):
The first article that I came acrosswas "The S and MCP stands for Security".
I will link this, in these show notes, butthis article goes into some pros and some
cons, some things that are not going sowell and maybe some ways to combat that.
I find that it's easy to fall into oneof two extremes in a lot of different
topics, tech being just one of those.
(07:26):
You either trust everything andyou just test things out and give
everything your all, and sometimesthat gets you in hot water.
And then the other side of that is youview everything in a doom and gloom
light, and you avoid using thingsinto the really well established.
I think there's downsides and upsidesto both of those extremes, but it is
very healthy to understand the realflaws and the gaps where certain
technologies just haven't caught up yet.
(07:49):
This article does start out prettynegative, I find, but it explains the
real gaps in security with MCP in avery overview and approachable way.
It's quick hits, very easy toread and follow along with.
But, after it gets done with thenegatives, it does step through
real ways that developers can combatthose gaps while still using MCP.
(08:09):
So even though it kind of startsoff in a, in a negative viewpoint,
the article realizes that people arestill going to be using this stuff.
Are their ways and goodpractices that developers can
set so they can use it safely?
It brings awareness withouthindering usage of the technology.
And of course, over time a lot of theseholes will get plugged up and these
missing features will be built in.
(08:30):
But we're just not there yet.
So in the meantime, we need to beaware and give our due diligence
to use these tools safely.
So I really liked this article.
It was a good highlight.
Here are the things that can gowrong with some code snippets and
explanation alongside, and thenexplaining how developers can kind of
fill these gaps in the meantime, whilethe tool does not fill them itself.
Then the second article I cameacross was called AI Model Context
(08:54):
Protocol, MCP, and Security.
This author argues that MCPprovides points that are
accessible to add security in.
It's just that developers need toknow what to inject into those places.
This one takes a slightlydifferent approach to the topic
than the last one did, but itis kind of along the same lines.
It's more of a deep dive onspecific security aspects.
(09:15):
I didn't find it too overly deep, though Iwas still able to follow along just fine.
First, the article starts bygiving an architecture of MCP and
then steps into specific securityconsiderations along the way.
There are some detailed walkthroughs ofthe gaps, some that were also mentioned
in the previous article that we alreadytalked about, and then the article also
goes into some solutions and reasons whythese approaches work well or are helpful.
(09:40):
Some of these are already things thatcybersecurity professionals will know
and be doing anyway, but it's justgood reminders of things that the tool
doesn't take care of out of the box.
In the article, it goes over justsome general security practices as
well as things you need to be aware ofwhen you're dealing with AI solutions
and the security that goes on there.
So things like authentication,access control and verification,
(10:02):
the server responses or errormessage practices, the tool input
validations and LLM sampling controls.
Again, a mix of general securitypractices as well as things that you
need specifically for AI solutions.
I thought these two articles were reallygreat in just addressing some of the
gaps and holes that are still existingin this environment and some ways
that we can already start practicingand working with these tools safely.
(10:26):
There is still so much information tosift through on my end, but I highlighted
a couple of my finds this week on thenew Neo4j Java driver object mapping
feature and the Jackson Junior Library.
Then we dug in on some of thesecurity gaps with MCP and the ways
that developers can still use thetechnology with security in mind.
As always, thanks forlistening and happy coding.
You are listening to the BreaktimeTech Talks podcast, a bite-sized tech
podcast for busy developers where we'llbriefly cover technical topics, new
snippets, and more in short time blocks.
I'm your host, Jennifer Reif, anavid developer and problem solver
with special interest in datalearning and all things technology.
(00:25):
This week I put together a code sampleon a new feature for working with Neo4j
and Java, and a colleague sent alongan exciting Jackson library discovery.
Then I came across a couple of articlesthat follow up on MCP's current
security gaps and how developerscan utilize the technology safely.
First up though, I had mentioned in aprevious episode that Neo4j Java driver
(00:48):
has a new object mapping feature.
I had mentioned, I talked a littlebit about it then, but I wanted
to put together a code repositoryand some content around that.
I was able to now get the code repositoryup and running, and my thoughts on this
feature are that it's really awesome.
Used to, when you would use the Neo4j Javadriver, it would return raw map results
(01:12):
that didn't map to your domain classes.
I thought this was a little oddwhen I first came across this.
What do you mean?
We have a Java programming languagethat we're using, and we can't map our
entities we're getting back from ourdatabase to our Java objects, right?
That's kind of a, seems like a verynatural thing that Java developers
(01:32):
would wanna do since it's an objectoriented programming language.
However, used to you couldn't.
You would get these raw maps back, andyou would have to convert those, do
that object graph mapping very manually.
Now, however, with the Neo4j, Javadriver 5.28.5, it now will map to
your domain objects in your Javaapplication, which is really, really nice.
(01:57):
I played around with this.
Like I said, I have a code repositoryout there now that showcases this.
The thing that I came across that isdifferent from other solutions that I've
seen in the past is that you still needto return the object, the whole object
that you want from the Cypher query.
So you will have to construct thereturn results from the Cypher query
(02:17):
to map those back to your domain.
It's not a full on OGM solution.
And the feature even says this.
If you need a full object graph mappersolution, something like the Neo4jOGM
library that's available with Javaand spring, would be the way to go.
But just the kind of basic objectmapping, I want to return results
(02:39):
from the database, I wanna map it tomy plain old Java objects in my Java
application, that is now possible and itworks really well and is really slick.
Just be aware that whatever you returnfrom the database, you'll have to kind
of coax it into a format that matchesyour Java domain inside your application.
What I mean by this is that youcan't return nodes and relationships
(03:02):
separately from the query if youwant to map those as connected
entities within your application.
For instance, in a typical Java objectoriented domain set up, you would have two
separate entities and you would connectthose via a property inside one that
references the other domain entity, right?
(03:24):
So for instance, for book andauthor, you would have a book entity.
You would reference another separateauthor entity as a field inside your book
entity, and that links the two together.
With the Java driver new feature nowfor object mapping, when you return
the Cypher query, you can't just returnbooks and authors as separate entities.
(03:45):
Again, it's not a full OGM solution.
It doesn't automatically map thoseback to your domain, model, if
you will, inside your application.
But what you would need to do is returnbooks and then collect the related
author objects into a field in the bookobject coming back from your query.
And then it sees that nested structureand it maps that right back to your
(04:08):
Java domain nested structure as well.
As long as those two match,it works really smoothly.
So just be aware of that.
I will link the sample GitHub repositorywhere you can see all of this, and I
will be working on a blog post as well,but it's just not quite ready to go yet.
Then the next thing that I came acrossthis week was a colleague sent along a
repository of a smaller, lighter renditionof Jackson for certain use cases.
(04:31):
I'll link that repositoryin the show notes as well.
First of all, if you're notfamiliar, what is Jackson?
It is a Java library that contains asuite of data processing tools for Java.
It takes a variety of differentformats of data and helps you process
it and work with it and manipulateit inside your Java application.
(04:53):
The Jackson flagship component, if youwill, is their JSON Parser and Generator.
This is the thing that they'reknown for the best, working with
JSON and helping you serialize anddeserialize it, inside and outside,
outside of your Java application.
However, if you peek at the GitHubrepository for Jackson, the initial core
library, you'll see all the differentdata formats and things that are included.
(05:16):
So they take lots of other types ofdata formats as well, not just JSON.
It's just JSON's whatthey're most famous for.
The whole repository, if youwill, the library dependency
and so on, is very large.
The downside of that is thatit ends up being a very large
dependency with potentiallyunneeded pieces or sub dependencies.
For instance, if you're wanting to justparse JSON, then you're not using all of
(05:38):
the other capabilities that are bundledand available within that large library.
So, what the new lighter, smallerrendition of Jackson is, it's called
Jackson, Jr. What it does is that it isa kind of slim down trim version of this.
And the library positions itself asvery helpful when the size of the jar
(05:59):
matters, so the package, the wholeJava application package, or when your
startup time for the application matters.
If you want those to be really, reallysmall, then this Jackson Junior Library
might be a great option for you.
I have not had a chance to playwith this Jackson Junior yet,
but I know several colleagues whoare already working with this and
incorporating it into their projects.
And I hope to explore itsometime in the future as well.
(06:22):
The content pieces I want tolook at today, and yes, I said
pieces, there's more than one.
There's two.
However, they both kind of pile onto atopic we've already discussed in the past.
So if you remember from episode 42 ofthis podcast, I referenced an MCP or
Model context protocol blog post, andone of the current limitations that was
(06:43):
outlined in that blog post was security.
Both of the articles that I cameacross focus on this aspect of MCP
and some things that developers can doto help combat some of these issues.
I will also add a caveat that botharticles are from vendors, so they
recommend very specific productsto help solve these problems.
So just so you're aware, they arecoming from vendor specific viewpoints.
(07:05):
The first article that I came acrosswas "The S and MCP stands for Security".
I will link this, in these show notes, butthis article goes into some pros and some
cons, some things that are not going sowell and maybe some ways to combat that.
I find that it's easy to fall into oneof two extremes in a lot of different
topics, tech being just one of those.
(07:26):
You either trust everything andyou just test things out and give
everything your all, and sometimesthat gets you in hot water.
And then the other side of that is youview everything in a doom and gloom
light, and you avoid using thingsinto the really well established.
I think there's downsides and upsidesto both of those extremes, but it is
very healthy to understand the realflaws and the gaps where certain
technologies just haven't caught up yet.
(07:49):
This article does start out prettynegative, I find, but it explains the
real gaps in security with MCP in avery overview and approachable way.
It's quick hits, very easy toread and follow along with.
But, after it gets done with thenegatives, it does step through
real ways that developers can combatthose gaps while still using MCP.
(08:09):
So even though it kind of startsoff in a, in a negative viewpoint,
the article realizes that people arestill going to be using this stuff.
Are their ways and goodpractices that developers can
set so they can use it safely?
It brings awareness withouthindering usage of the technology.
And of course, over time a lot of theseholes will get plugged up and these
missing features will be built in.
(08:30):
But we're just not there yet.
So in the meantime, we need to beaware and give our due diligence
to use these tools safely.
So I really liked this article.
It was a good highlight.
Here are the things that can gowrong with some code snippets and
explanation alongside, and thenexplaining how developers can kind of
fill these gaps in the meantime, whilethe tool does not fill them itself.
Then the second article I cameacross was called AI Model Context
(08:54):
Protocol, MCP, and Security.
This author argues that MCPprovides points that are
accessible to add security in.
It's just that developers need toknow what to inject into those places.
This one takes a slightlydifferent approach to the topic
than the last one did, but itis kind of along the same lines.
It's more of a deep dive onspecific security aspects.
(09:15):
I didn't find it too overly deep, though Iwas still able to follow along just fine.
First, the article starts bygiving an architecture of MCP and
then steps into specific securityconsiderations along the way.
There are some detailed walkthroughs ofthe gaps, some that were also mentioned
in the previous article that we alreadytalked about, and then the article also
goes into some solutions and reasons whythese approaches work well or are helpful.
(09:40):
Some of these are already things thatcybersecurity professionals will know
and be doing anyway, but it's justgood reminders of things that the tool
doesn't take care of out of the box.
In the article, it goes over justsome general security practices as
well as things you need to be aware ofwhen you're dealing with AI solutions
and the security that goes on there.
So things like authentication,access control and verification,
(10:02):
the server responses or errormessage practices, the tool input
validations and LLM sampling controls.
Again, a mix of general securitypractices as well as things that you
need specifically for AI solutions.
I thought these two articles were reallygreat in just addressing some of the
gaps and holes that are still existingin this environment and some ways
that we can already start practicingand working with these tools safely.
(10:26):
There is still so much information tosift through on my end, but I highlighted
a couple of my finds this week on thenew Neo4j Java driver object mapping
feature and the Jackson Junior Library.
Then we dug in on some of thesecurity gaps with MCP and the ways
that developers can still use thetechnology with security in mind.
As always, thanks forlistening and happy coding.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.