Choosing the Right Java Expression Engine: Performance, Security, and Community Insights

1. Introduction

Our project team is responsible for enterprise business systems where requirements are diverse and complex. To improve flexibility and responsiveness, we use an expression engine to centrally configure business rules and enable real‑time decision making.

When multiple suppliers provide different reward rules, hard‑coded if/else branches become unmanageable, prompting the need for a more maintainable solution.

2. Technical Stack Overview

We evaluate several common Java expression engines: AviatorScript, MVEL, OGNL, SpEL, QLExpress, JEXL, JUEL, and Janino.

2.1 AviatorScript

A high‑performance, lightweight script language on the JVM. It can compile expressions to bytecode. Initially an expression engine only, it now supports if/else and loops since version 5.0.

2.2 MVEL

A mixed dynamic/static typed expression language embeddable in Java, widely used in Java projects. Inspired by Java syntax, it offers collection, array, string matching operators and regex support. First released in 2007.

2.3 OGNL

Object‑Graph Navigation Language for getting/setting Java object properties, list projection, selection, and lambda expressions. Released in 2005.

2.4 SpEL

Spring Expression Language, a powerful language for querying and manipulating object graphs at runtime, with method invocation and string templating features.

2.5 QLExpress

Designed by Alibaba for e‑commerce rule processing, supporting dynamic scripts, high‑precision math, and custom syntax. Open‑sourced in 2012.

2.6 JEXL

Java Expression Language that extends JSTL EL, supporting most shell and ECMAScript concepts. First version released in 2005.

2.7 JUEL

Implementation of the Unified Expression Language (EL) standard, part of JSP 2.1 and JEE5, with updates up to JEE6.

2.8 Janino

A tiny, fast Java compiler that can also serve as an expression engine. Used by projects like Apache Spark and Flink.

3. Evaluation Criteria

3.1 Community Support

Metrics such as GitHub stars, watches, forks, and recent commits (as of 2023‑10‑29) show SpEL has the strongest community backing, followed by QLExpress, AviatorScript, and MVEL.

3.2 Size and Dependencies

Code size (2023‑10‑29) ranges from ~600 KB (JUEL, QLExpress) to >7 MB for SpEL (including Spring core dependencies). Dependency trees are shown below:

+- org.mvel:mvel2:jar:2.5.0.Final:compile
+- com.googlecode.aviator:aviator:jar:5.3.3:compile
+- com.alibaba:QLExpress:jar:3.3.1:compile
   +- commons-beanutils:commons-beanutils:jar:1.8.2:compile
   +- commons-lang:commons-lang:jar:2.4:compile
+- org.codehaus.janino:janino:jar:3.1.10:compile
   +- org.codehaus.janino:commons-compiler:jar:3.1.10:compile
+- ognl:ognl:jar:3.4.2:compile
   +- org.javassist:javassist:jar:3.29.2-GA:compile
+- org.apache.commons:commons-jexl3:jar:3.3:compile
   +- commons-logging:commons-logging:jar:1.2:compile
+- org.springframework:spring-expression:jar:5.3.29:compile
   +- org.springframework:spring-core:jar:5.3.29:compile
   +- org.springframework:spring-jcl:jar:5.3.29:compile
+- de.odysseus.juel:juel-api:jar:2.2.7:compile
+- de.odysseus.juel:juel-impl:jar:2.2.7:compile
+- de.odysseus.juel:juel-spi:jar:2.2.7:compile

3.3 Performance

Benchmarks using JMH cover literal expressions, variable‑based expressions, and method‑call expressions. Results highlight that AviatorScript, SpEL, MVEL, and OGNL generally perform best, while JEXL, JUEL, and QLExpress lag behind.

3.4 Security

Expression engines can introduce injection risks. Vulnerability scans show OGNL and SpEL appear more frequently in CVE databases due to widespread use. Security settings such as white‑lists, sandbox modes, and feature toggles are available in AviatorScript, QLExpress, and JEXL.

// AviatorScript white‑list example
AviatorEvaluator.setOption(Options.ALLOWED_CLASS_SET, Sets.newHashSet(List.class));
AviatorEvaluator.setOption(Options.MAX_LOOP_COUNT, 10000);
AviatorEvaluator.getInstance().disableFeature(Feature.NewInstance);

// QLExpress sandbox and white‑list
QLExpressRunStrategy.setSandBoxMode(true);
QLExpressRunStrategy.setCompileWhiteCheckerList(Arrays.asList(
    CheckerFactory.must(Date.class),
    CheckerFactory.assignable(List.class)
));

// JEXL sandbox configuration
new JexlBuilder().sandbox(new JexlSandbox()).create();
new JexlBuilder().permissions(JexlPermissions.RESTRICTED.compose("com.jd.*")).create();

3.5 Usage Cases

Industry adoption shows AviatorScript, MVEL, and QLExpress are used in various Chinese enterprise projects, providing practical references.

3.6 Syntax Comparison

Syntax differences affect learning curve and expressiveness. AviatorScript introduces its own types and syntax; MVEL and JEXL are close to Java; OGNL, SpEL, and JUEL have simpler syntax but lack control statements or function definitions.

4. Selection Recommendations

• Community: SpEL leads, followed by AviatorScript, QLExpress, and MVEL. • Size & Dependencies: AviatorScript and MVEL are lightweight. • Performance: Choose SpEL or MVEL for heavy arithmetic/method calls; AviatorScript offers balanced performance. • Security: AviatorScript, QLExpress, and JEXL provide configurable security options. • Usage Cases: AviatorScript, MVEL, and QLExpress have solid real‑world examples. • Syntax: MVEL and JEXL are generally easier for Java developers.

Considering these factors, teams can select the expression engine that best matches their project’s priorities.