OGNL

OGNL
Developer(s)	OGNL Technology
Stable release	3.0.8 / September 24, 2013
Written in	Java
Operating system	Cross-platform
Platform	Java Virtual Machine
Type	Expression Language (EL)
License	BSD License
Website	http://commons.apache.org/ognl/

Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties (through defined setProperty and getProperty methods, found in JavaBeans), and execution of methods of Java classes. It also allows for simpler array manipulation.

It is aimed to be used in Java EE applications with taglibs as expression language.

OGNL was created by Luke Blanshard and Drew Davidson of OGNL Technology.[1] OGNL development was continued by OpenSymphony, which closed in 2011.[2] OGNL is developed now as a part of the Apache Commons.

OGNL Technology

OGNL began as a way to map associations between front-end components and back-end objects using property names. As these associations gathered more features, Drew Davidson created Key-Value Coding language (KVCL). Luke Blanshard then reimplemented KVCL using ANTLR and started using the name OGNL. The technology was again reimplemented using the Java Compiler Compiler (JavaCC).

OGNL uses Java reflection and introspection to address the Object Graph of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile time settings. It also allows changes to the object graph.

Projects using OGNL

WebWork and its successor Struts2
Tapestry (4 and earlier)
Spring Web Flow
Apache Click
MyBatis - SQL mapper framework
The Thymeleaf - A Java XML/XHTML/HTML5 template engine
FreeMarker - A Java template engine

OGNL security issues

Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it. Multiple Apache Struts 2 versions have been vulnerable to OGNL security flaws.[3] As of October 2017, the recommended version of Struts 2 is 2.5.13.[4] Users are urged to upgrade to the latest version, as older revisions have documented security vulnerabilities — for example, Struts 2 versions 2.3.5 through 2.3.31, and 2.5 through 2.5.10, allow remote attackers to execute arbitrary code.[5]

gollark: What *is* /var/bt?

gollark: Just pick any, although probably don't use it in a formal context because neither is "really" a word.

gollark: Jokes are hard to parse.

gollark: You know you can access a terminal and stuff on phones. It's just annoying because bad I/O.

gollark: I can't tell, but it *might* be.

External links

References

"ognl.org", OGNL Technology, Inc, archived from the original on 25 October 2008, retrieved 5 November 2013
"OpenSymphony, RIP (2000 - 2011)". Open Symphony. Archived from the original on 5 September 2013. Retrieved 1 June 2011.
"Apache Struts : List of security vulnerabilities". cvedetails.com. Retrieved October 2, 2017.
"Apache Struts Releases". struts.apache.org. Retrieved October 2, 2017.
Goodin, Dan (March 9, 2017). "Critical vulnerability under "massive" attack imperils high-impact sites [Updated]". Ars Technica. Retrieved October 2, 2017.

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[1] "ognl.org", OGNL Technology, Inc, archived from the original on 25 October 2008, retrieved 5 November 2013

[2] "OpenSymphony, RIP (2000 - 2011)". Open Symphony. Archived from the original on 5 September 2013. Retrieved 1 June 2011.

[3] "Apache Struts : List of security vulnerabilities". cvedetails.com. Retrieved October 2, 2017.

[4] "Apache Struts Releases". struts.apache.org. Retrieved October 2, 2017.

[5] Goodin, Dan (March 9, 2017). "Critical vulnerability under "massive" attack imperils high-impact sites [Updated]". Ars Technica. Retrieved October 2, 2017.