Apache Commons logo Apache Commons JEXL

Compatibility with previous releases

Version 3.3 is source and binary compatible with 3.2.

However, the default setting for permissions that determine which packages, classes and methods are accessible to scripts has been reduced to a very narrow set. When migrating from previous version of JEXL, this may result in breaking your application behavior ; this breaking change requires remediation in your code.

Despite the obvious inconvenience - our sincere apologies on the matter -, how much functional and semantic power is accessible through scripts has a real impact on your application security and stability ; that potential risk requires an informed review and conscious choice on your end.

To mitigate the change, you can revert to the previous behavior with one line of code (see JexlPermissions, JexlBuilder and JexlScriptEngine ) or use this opportunity to reduce exposure. Whether Files, URLs, networking, processes, class-loaders or reflection classes or whether loops or side-effects are accessible are part of your choice to make.

What's new in 3.3:

JEXL 3.3 brings the ability to configure permissions on libraries in the manner pioneered with the @NoJexl annotation on source code. This is achieved through a crude but light mechanism akin to a security manager that controls what JEXL can introspect and thus expose to scripts.

Used in conjunction with options (JexlOptions) and features (JexlFeatures), the permissions (JexlPermissions) allow fine-tuning the end-user freedom and scripting integration through syntactic and semantic sanitation.

JEXL 3.3 also adds some syntactic (ECMAScript) features (let, const, =>, for, ...) to further reduce the skill set required to write scripts.

New Features in 3.3:

JEXL-392: Enable namespace declaration based on scripts
JEXL-391: Improve in/=~ operator when arguments are arrays and collections
JEXL-390: Pragmas should not be statements
JEXL-389: Improve parsing timings
JEXL-385: Support disabling fortran-style relational operators syntax
JEXL-382: Simplify grammar and lexical state management
JEXL-380: Multiple values per pragma key
JEXL-379: Allow new to use class identifier
JEXL-373: Add support for prefix/postfix increment/decrement operators
JEXL-372: Add support for 'standard' for loop
JEXL-369: Add 'let' and 'const' variable declarations
JEXL-367: Named function and fat-arrow (=>) lambda syntax
JEXL-366: Fail to evaluate string and number comparison
JEXL-365: Lambda expressions
JEXL-363: Allow retrieving captured variables in script
JEXL-360: Add missing bitshift operators ( >>>, >>, <<)
JEXL-359: Allow per-operator arithmetic handling of null arguments
JEXL-357: Configure accessible packages/classes/methods/fields

Bugs Fixed in 3.3:

JEXL-386: Non-inheritable permissions on interfaces are ignored in an inheritable sandbox
JEXL-384: Improve control over JexlArithmetic null argument handling
JEXL-378: Incremental operator and decremental operator do not honor the side-effect flag
JEXL-376: Introspector captures methods on non-exported classes (modules, java9+)
JEXL-375: Cannot access enums by their name when using sandbox
JEXL-374: No exception if dereferencing null object using safe(false) and antish(false)
JEXL-371: Override of a protected method with public visibility is not callable
JEXL-370: Cannot check if variable is defined using ObjectContext if the value is null
JEXL-368: Namespace functor resolution is not cached
JEXL-364: Evaluator options not propagated in closures
JEXL-362: JexlInfo position reporting is off
JEXL-361: Null may be used as operand silently even in arithmetic strict(true) mode
JEXL-354: #pragma does not handle negative integer or real literals
JEXL-353: Documentation error for not-in/not-match operator