Am 04.09.13 16:50, schrieb Cameron Morris:
> I'm an outsider here, but I thought I'd chime in on this.  I'm presenting
> tomorrow night at an OWAP-chapter meeting on "Attacking and Defending
> struts2" http://prezi.com/yydldqt0dep-/attacking-and-defending-struts2/
> OGNL is the star of the show.  (I'd love some feedback on the presentation
> btw)
very nice presentation! You sum up all my thoughts and put something on top

I am doing something similar on the Struts Hackathon on Friday
(strutsathon.opensource.io) but my slides are more on the usage side of
life. I definitely will refer people to your slides

> I haven't evaluated alternatives, but there appears to be many OSS
> implementations of EL.  For the parameterInterceptor it seems like OGNL
> does too much and it just needs something simple enough to set values.
>  Perhaps a 1.1 version of JSTL-EL  Perhaps we can roll our own that does
> just enough to set parameters.   I'm curious to know if there are any
> struts3 plans around this.  I'm sorry to just offer criticism with no real
> solution.
I hope we'll get the ball rolling for -=OGNL in S3 - this discussion is
part of it.

Thanks!

>
>
> On Wed, Sep 4, 2013 at 7:53 AM, Christian Grobmeier 
> <grobme...@gmail.com>wrote:
>
>> Am 04.09.13 15:41, schrieb Martin Gainty:
>>> Granted OGNL is not intuitive but neither is JSTL
>>>
>>> because you don't understand something does not state the case for
>> removal from the framework
>> Not sure to whom you wrote this response.
>>
>> My problems with OGNL are:
>>
>> - not actively maintained (I am involved, I know about it)
>> - hard to maintain
>> - looks like it is / was responsible for a lot of security issues
>>
>> If "I" would not understand alone, it is really no reason to remove
>> something from the framework. If a LOT of users do not understand well,
>> it is for sure. Frameworks today must be easy to understand and easy to
>> use. If we have a chance to to make things easier for users, we should
>> do it.
>>
>> In frontend land we might consider to propagate JSTL if our own things
>> cannot be maintained because lack of man power.
>>> Please State your case for an alternative mechanism for accessing
>> entities from the Object Graph
>>> Specific examples such as "OGNL access" vs "Alternative" access could
>> justify the refactoring effort
>> I was asking to collect some input and see if there are similar feelings
>> like I have on OGNL.
>>
>>> Martin
>>> ______________________________________________
>>> Verzicht und Vertraulichkeitanmerkung
>>>
>>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
>> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
>> dient lediglich dem Austausch von Informationen und entfaltet keine
>> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
>> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>>>
>>>> Subject: Re: Doubting OGNL
>>>> To: dev@struts.apache.org
>>>> From: umeshawas...@gmail.com
>>>> Date: Wed, 4 Sep 2013 13:13:20 +0000
>>>>
>>>> As per my experience over Stack Overflow, every alternate question on
>> Struts2 is related to OGNL syntax or user is not able to understand how
>> OGNL working.
>>>> I have a very good experience with JSTL and honestly I am more than
>> happy with its simple syntax.
>>>>
>>>> Sent from BlackBerryŽ on Airtel
>>>>
>>>> -----Original Message-----
>>>> From: Christian Grobmeier <grobme...@gmail.com>
>>>> Date: Wed, 04 Sep 2013 15:04:06
>>>> To: Struts Developers List<dev@struts.apache.org>
>>>> Reply-To: "Struts Developers List" <dev@struts.apache.org>
>>>> Subject: Doubting OGNL
>>>>
>>>> Folks,
>>>>
>>>> when researching on OGNL i found this link:
>>>> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement
>>>>
>>>> In 2008 Brian mentioned "Security risks keep appearing" along with OGNL
>>>> and collected the places where we use OGNL. Given the recent events I
>>>> thought it might be good to bring this up again. Please also note, I
>>>> have helped with OGNLs incubation and I am also touchign it over in
>>>> Commons land. My impression is OGNL is not easy to understand and there
>>>> is not really much interest from other people to develop on it.
>>>>
>>>> Looking at this list I feel OGNL is pretty much tied to Struts. On the
>>>> other hand we could start to slowly decouple the two. Not sure what we
>>>> should use otherwise.
>>>>
>>>> Any feelings on that?
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>>>> For additional commands, e-mail: dev-h...@struts.apache.org
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>> For additional commands, e-mail: dev-h...@struts.apache.org
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to