Menu
I was wondering what exactly moved Spring to use Spring EL over OGNL in its web flow product:
http://static.springsource.org/spring-webflow/docs/2.2.x/reference/htmlsingle/spring-webflow-reference.html#el-language-choices
With OGNL, I can dynamically create simple classes and execute methods, etc, directly through the flow. I know it's not a good practice to do that within actual web page templates (i.e. JSPs), because they are based on presentation, but web flow controls your program's logic and I find the ability to use OGNL effectively there to be very convenient. Plus, you can test the flow to ensure that it works easily.
So, two questions:
Are there any major benefits to using Spring EL over OGNL, especially in the context of Spring Webflow?
Can you create objects using Spring EL?
682
Spring Expression Language is used mainly in view layer like JSP, Thymeleaf. You can manipulate java object easily in view layer with SpEL. If you want to evaluate SpEL expression in java layer, you can use ExpressionParser to get the outcome.
An OGNL Injection occurs when there is insufficient validation of user-supplied data, and the EL interpreter attempts to interpret it enabling attackers to inject their own EL code. In the case of CVE-2022-26134, the RCE attack is not complex in nature.
OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects, plus other extras such as list projection and selection and lambda expressions. You use the same expression for both getting and setting the value of a property.
6.1 Introduction. The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime. The language syntax is similar to Unified EL but offers additional features, most notably method invocation and basic string templating functionality.
Well, the "why" is stated in the SpEL docs:
While there are several other Java expression languages available, OGNL, MVEL, and JBoss EL, to name a few, the Spring Expression Language was created to provide the Spring community with a single well supported expression language that can be used across all the products in the Spring portfolio.
While OGNL has its advantages, and its fans, its functionality is too limited for what was required for Spring 3, and so SpEL was born. And because SpEL became the base expression language for Spring, WebFlow moved to that as a replacement for OGNL.
I haven't had much cause to use SpEL much, though, so I couldn't tell you how to do any particular task.
As to its advantages, I'd say the primary one is that while OGNL is now stagnant, SpEL is a core part of Spring now, and so will be continuously improved and extended. Bluntly put, OGNL is dead (it's maintained now by opensymphony.com, which is hardly a dynamic, active organisation)
92
Not arguing that SpEL doesn't make more sense for people maintaining Spring, but OGNL isn't (thoroughly) dead and isn't maintained by opensymphony.
https://github.com/jkuhnert/ognl
So, there. pfffttttttt
Update (5/23/11): Looks like apache will be hosting OGNL from now on. http://incubator.apache.org/projects/ognl.html
Update 2 (4/3/2014): http://commons.apache.org/proper/commons-ognl/ It's been there for a while, but I just noticed this random thread again today.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
