Jump to content

OGNL

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by GreenC bot (talk | contribs) at 13:09, 9 September 2016 (WaybackMedic 2). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

OGNL
Developer(s)OGNL Technology
Stable release
3.0.8 / September 24, 2013 (2013-09-24)
Repository
Written inJava
Operating systemCross-platform
PlatformJava Virtual Machine
TypeExpression Language (EL)
LicenseBSD License
Websitehttp://commons.apache.org/ognl/

Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties (through defined setProperty and getProperty methods, found in JavaBeans), and execution of methods of Java classes. It also allows for simpler array manipulation.

It is aimed to be used in Java EE applications with taglibs as expression language.

OGNL was created by Luke Blanshard and Drew Davidson of OGNL Technology.[1] OGNL development was continued by OpenSymphony, which closed in 2011.[2] OGNL is developed now as a part of the Apache Commons.

OGNL Technology

OGNL began as a way to map associations between front-end components and back-end objects using property names. As these associations gathered more features, Drew Davidson created Key-Value Coding language (KVCL). Luke Blanshard then reimplemented KVCL using ANTLR and started using the name OGNL. The technology was again reimplemented using the Java Compiler Compiler (JavaCC).

OGNL uses Java reflection and introspection to address the Object Graph of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile time settings. It also allows changes to the object graph.

Projects using OGNL

OGNL Security Issues

Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it. Multiple Apache Struts2 versions have been vulnerable OGNL security flaws. As of October 2013, the recommended secure version of Struts2 is 2.3.15.2, released on September 20, 2013. Users are urged to upgrade to the latest version.

For example, Apache Struts versions 2.0.0 through 2.3.15 allow remote attackers to execute arbitrary OGNL expressions via a parameter prefixed with action:, redirect:, or redirectAction:. Exploit code for this vulnerability was released for the Metasploit framework on July 7, 2013.

See also

References

  1. ^ "ognl.org", OGNL Technology, Inc, archived from the original on 23 October 2008, retrieved 5 November 2013 {{citation}}: |archive-date= / |archive-url= timestamp mismatch; 25 October 2008 suggested (help)
  2. ^ "OpenSymphony, RIP (2000 - 2011)". Open Symphony. Retrieved 1 June 2011.


Stub icon

This programming-language-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=OGNL&oldid=738521286"