Object-Graph Navigation Language (OGNL) is an open-source
Expression Language (EL) for
Java
Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mos ...
, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties (through defined setProperty and getProperty methods, found in
JavaBeans), and execution of methods of Java classes. It also allows for simpler array manipulation.
It is aimed to be used in
Java EE
Jakarta EE, formerly Java Platform, Enterprise Edition (Java EE) and Java 2 Platform, Enterprise Edition (J2EE), is a set of specifications, extending Java SE with specifications for enterprise features such as distributed computing and web ser ...
applications with
taglibs as expression language.
OGNL was created by Luke Blanshard and Drew Davidson of
OGNL Technology
Object-Graph Navigation Language (OGNL) is an open-source Unified Expression Language, Expression Language (EL) for Java (programming language), Java, which, while using simpler expressions than the full range of those supported by the Java languag ...
. OGNL development was continued by
OpenSymphony, which closed in 2011. OGNL is developed now as a part of the
Apache Commons.
OGNL Technology
OGNL began as a way to map associations between front-end components and back-end objects using property names. As these associations gathered more features, Drew Davidson created Key-Value Coding language (KVCL). Luke Blanshard then reimplemented KVCL using
ANTLR
In computer-based language recognition, ANTLR (pronounced ''antler''), or ANother Tool for Language Recognition, is a parser generator that uses LL(*) for parsing. ANTLR is the successor to the Purdue Compiler Construction Tool Set (PCCTS), firs ...
and started using the name OGNL. The technology was again reimplemented using the Java Compiler Compiler (
JavaCC
JavaCC (Java Compiler Compiler) is an open-source software, open-source parser generator and Lexical analysis, lexical analyzer generator written in the Java (programming language), Java programming language.
JavaCC is similar to yacc in that it ...
).
OGNL uses Java
reflection Reflection or reflexion may refer to:
Science and technology
* Reflection (physics), a common wave phenomenon
** Specular reflection, reflection from a smooth surface
*** Mirror image, a reflection in a mirror or in water
** Signal reflection, in ...
and
introspection
Introspection is the examination of one's own conscious thoughts and feelings. In psychology, the process of introspection relies on the observation of one's mental state, while in a spiritual context it may refer to the examination of one's sou ...
to address the
Object Graph
In computer science, in an object-oriented program, groups of objects form a network through their relationships with each other, either through a direct reference to another object or through a chain of intermediate references. These groups o ...
of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile time settings. It also allows changes to the object graph.
Projects using OGNL
* WebWork and its successor
Struts2
*
Tapestry
Tapestry is a form of textile art, traditionally woven by hand on a loom. Tapestry is weft-faced weaving, in which all the warp threads are hidden in the completed work, unlike most woven textiles, where both the warp and the weft threads ma ...
(4 and earlier)
*
Spring Web Flow
*
Apache Click
Apache Click is a page and component oriented web application framework for the Java language and is built on top of the Java Servlet API.
It is a free and open-source project distributed under the Apache license and runs on any JDK installati ...
*
MyBatis
MyBatis is a Java persistence framework that couples objects with stored procedures or SQL statements using an XML descriptor or annotations.
MyBatis is free software that is distributed under the Apache License 2.0.
MyBatis is a fork of iBATI ...
- SQL mapper framework
* The
Thymeleaf
Thymeleaf is a Java XML/XHTML/HTML5 template engine that can work both in web (servlet-based) and non-web environments. It is better suited for serving XHTML/HTML5 at the view layer of MVC-based web applications, but it can process any XML file e ...
- A Java XML/XHTML/HTML5 template engine
*
FreeMarker
Apache FreeMarker is a free Java-based template engine, originally focusing on dynamic web page generation with MVC software architecture. However, it is a general purpose template engine, with no dependency on servlets or HTTP or HTML, and i ...
- A Java template engine
OGNL security issues
Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it. Multiple
Apache Struts 2
Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework ...
versions have been vulnerable to OGNL security flaws. As of October 2017, the recommended version of Struts 2 is 2.5.13. Users are urged to upgrade to the latest version, as older revisions have documented security vulnerabilities — for example, Struts 2 versions 2.3.5 through 2.3.31, and 2.5 through 2.5.10, allow remote attackers to
execute arbitrary code. Atlassian Confluence has repeatedly
been affected by OGNL security issues that allowed arbitrary remote code execution, and required all users to update.
See also
*
MVEL
MVFLEX Expression Language (MVEL) is a hybrid dynamic/statically typed, embeddable Expression Language and runtime for the Java Platform. Originally started as a utility language for an application framework, the project is now developed compl ...
External links
OGNL 3.x maintenance branchOGNL 4.x Homepage (Apache)Apache Struts CVE-2013-2134 OGNL Expression Injection Vulnerability
References
Scripting languages
Free software programmed in Java (programming language)
Java platform
Software using the BSD license
{{compu-lang-stub