IMO, I see no use for OGNL outside of the view layer. What good use cases are there to evluate OGNL in anything else? I also don't think it should be used inside of struts.xml either.
On Wed, Sep 4, 2013 at 9:50 AM, Cameron Morris <cmor...@part.net> wrote: > I'm an outsider here, but I thought I'd chime in on this. I'm presenting > tomorrow night at an OWAP-chapter meeting on "Attacking and Defending > struts2" http://prezi.com/yydldqt0dep-/attacking-and-defending-struts2/ > OGNL is the star of the show. (I'd love some feedback on the presentation > btw) > > OGNL is a big risk. OGNL in the jsps aren't as much an issue, it's the > OGNL use everywhere else as glue that seems to get us into trouble over and > over. We are planning on rewriting our public (non-authenticated) actions > as plain-old servlets just to reduce the exposure. > > Not for the risk, but for future flexibility, new pages we write will be > JSP using only JSTL and EL. > > I haven't evaluated alternatives, but there appears to be many OSS > implementations of EL. For the parameterInterceptor it seems like OGNL > does too much and it just needs something simple enough to set values. > Perhaps a 1.1 version of JSTL-EL Perhaps we can roll our own that does > just enough to set parameters. I'm curious to know if there are any > struts3 plans around this. I'm sorry to just offer criticism with no real > solution. > > > On Wed, Sep 4, 2013 at 7:53 AM, Christian Grobmeier <grobme...@gmail.com > >wrote: > > > Am 04.09.13 15:41, schrieb Martin Gainty: > > > Granted OGNL is not intuitive but neither is JSTL > > > > > > because you don't understand something does not state the case for > > removal from the framework > > Not sure to whom you wrote this response. > > > > My problems with OGNL are: > > > > - not actively maintained (I am involved, I know about it) > > - hard to maintain > > - looks like it is / was responsible for a lot of security issues > > > > If "I" would not understand alone, it is really no reason to remove > > something from the framework. If a LOT of users do not understand well, > > it is for sure. Frameworks today must be easy to understand and easy to > > use. If we have a chance to to make things easier for users, we should > > do it. > > > > In frontend land we might consider to propagate JSTL if our own things > > cannot be maintained because lack of man power. > > > Please State your case for an alternative mechanism for accessing > > entities from the Object Graph > > > > > > Specific examples such as "OGNL access" vs "Alternative" access could > > justify the refactoring effort > > I was asking to collect some input and see if there are similar feelings > > like I have on OGNL. > > > > > > > > Martin > > > ______________________________________________ > > > Verzicht und Vertraulichkeitanmerkung > > > > > > Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene > > Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede > unbefugte > > Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht > > dient lediglich dem Austausch von Informationen und entfaltet keine > > rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von > > E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > > > > > > > > >> Subject: Re: Doubting OGNL > > >> To: dev@struts.apache.org > > >> From: umeshawas...@gmail.com > > >> Date: Wed, 4 Sep 2013 13:13:20 +0000 > > >> > > >> As per my experience over Stack Overflow, every alternate question on > > Struts2 is related to OGNL syntax or user is not able to understand how > > OGNL working. > > >> > > >> I have a very good experience with JSTL and honestly I am more than > > happy with its simple syntax. > > >> > > >> > > >> Sent from BlackBerryŽ on Airtel > > >> > > >> -----Original Message----- > > >> From: Christian Grobmeier <grobme...@gmail.com> > > >> Date: Wed, 04 Sep 2013 15:04:06 > > >> To: Struts Developers List<dev@struts.apache.org> > > >> Reply-To: "Struts Developers List" <dev@struts.apache.org> > > >> Subject: Doubting OGNL > > >> > > >> Folks, > > >> > > >> when researching on OGNL i found this link: > > >> https://cwiki.apache.org/confluence/display/S2WIKI/OGNL+replacement > > >> > > >> In 2008 Brian mentioned "Security risks keep appearing" along with > OGNL > > >> and collected the places where we use OGNL. Given the recent events I > > >> thought it might be good to bring this up again. Please also note, I > > >> have helped with OGNLs incubation and I am also touchign it over in > > >> Commons land. My impression is OGNL is not easy to understand and > there > > >> is not really much interest from other people to develop on it. > > >> > > >> Looking at this list I feel OGNL is pretty much tied to Struts. On the > > >> other hand we could start to slowly decouple the two. Not sure what we > > >> should use otherwise. > > >> > > >> Any feelings on that? > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > > >> For additional commands, e-mail: dev-h...@struts.apache.org > > >> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > > >> For additional commands, e-mail: dev-h...@struts.apache.org > > >> > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > > For additional commands, e-mail: dev-h...@struts.apache.org > > > > > -- Cheers, Paul
