Am 04.09.13 16:50, schrieb Cameron Morris: > I'm an outsider here, but I thought I'd chime in on this. I'm presenting > tomorrow night at an OWAP-chapter meeting on "Attacking and Defending > struts2" http://prezi.com/yydldqt0dep-/attacking-and-defending-struts2/ > OGNL is the star of the show. (I'd love some feedback on the presentation > btw) very nice presentation! You sum up all my thoughts and put something on top
I am doing something similar on the Struts Hackathon on Friday (strutsathon.opensource.io) but my slides are more on the usage side of life. I definitely will refer people to your slides > I haven't evaluated alternatives, but there appears to be many OSS > implementations of EL. For the parameterInterceptor it seems like OGNL > does too much and it just needs something simple enough to set values. > Perhaps a 1.1 version of JSTL-EL Perhaps we can roll our own that does > just enough to set parameters. I'm curious to know if there are any > struts3 plans around this. I'm sorry to just offer criticism with no real > solution. I hope we'll get the ball rolling for -=OGNL in S3 - this discussion is part of it. Thanks! > > > On Wed, Sep 4, 2013 at 7:53 AM, Christian Grobmeier > <grobme...@gmail.com>wrote: > >> Am 04.09.13 15:41, schrieb Martin Gainty: >>> Granted OGNL is not intuitive but neither is JSTL >>> >>> because you don't understand something does not state the case for >> removal from the framework >> Not sure to whom you wrote this response. >> >> My problems with OGNL are: >> >> - not actively maintained (I am involved, I know about it) >> - hard to maintain >> - looks like it is / was responsible for a lot of security issues >> >> If "I" would not understand alone, it is really no reason to remove >> something from the framework. If a LOT of users do not understand well, >> it is for sure. Frameworks today must be easy to understand and easy to >> use. If we have a chance to to make things easier for users, we should >> do it. >> >> In frontend land we might consider to propagate JSTL if our own things >> cannot be maintained because lack of man power. >>> Please State your case for an alternative mechanism for accessing >> entities from the Object Graph >>> Specific examples such as "OGNL access" vs "Alternative" access could >> justify the refactoring effort >> I was asking to collect some input and see if there are similar feelings >> like I have on OGNL. >> >>> Martin >>> ______________________________________________ >>> Verzicht und Vertraulichkeitanmerkung >>> >>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene >> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte >> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht >> dient lediglich dem Austausch von Informationen und entfaltet keine >> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von >> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. >>> >>>> Subject: Re: Doubting OGNL >>>> To: dev@struts.apache.org >>>> From: umeshawas...@gmail.com >>>> Date: Wed, 4 Sep 2013 13:13:20 +0000 >>>> >>>> As per my experience over Stack Overflow, every alternate question on >> Struts2 is related to OGNL syntax or user is not able to understand how >> OGNL working. >>>> I have a very good experience with JSTL and honestly I am more than >> happy with its simple syntax. >>>> >>>> Sent from BlackBerryŽ on Airtel >>>> >>>> -----Original Message----- >>>> From: Christian Grobmeier <grobme...@gmail.com> >>>> Date: Wed, 04 Sep 2013 15:04:06 >>>> To: Struts Developers List<dev@struts.apache.org> >>>> Reply-To: "Struts Developers List" <dev@struts.apache.org> >>>> Subject: Doubting OGNL >>>> >>>> Folks, >>>> >>>> when researching on OGNL i found this link: >>>> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement >>>> >>>> In 2008 Brian mentioned "Security risks keep appearing" along with OGNL >>>> and collected the places where we use OGNL. Given the recent events I >>>> thought it might be good to bring this up again. Please also note, I >>>> have helped with OGNLs incubation and I am also touchign it over in >>>> Commons land. My impression is OGNL is not easy to understand and there >>>> is not really much interest from other people to develop on it. >>>> >>>> Looking at this list I feel OGNL is pretty much tied to Struts. On the >>>> other hand we could start to slowly decouple the two. Not sure what we >>>> should use otherwise. >>>> >>>> Any feelings on that? >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>>> For additional commands, e-mail: dev-h...@struts.apache.org >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >>>> For additional commands, e-mail: dev-h...@struts.apache.org >>>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org