---
title: Sample OGNL expressions
description: OGNL expressions provide the flexibility to evaluate and manipulate values. These applications include using the following expressions to determine net worth, form a single sign-on (SSO) token, verify a user's group, retrieve a value from an HTTP request object, and check the authenticity of a client certificate..
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_sample_ognl_express
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_sample_ognl_express.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  general: General
  multivalued-attribute: Multivalued attribute
  token-authorization: Token authorization
  http-request-context: HTTP request context
  sts-client-authentication-context: STS client authentication context
  related-links: Related links
---

# Sample OGNL expressions

OGNL expressions provide the flexibility to evaluate and manipulate values. These applications include using the following expressions to determine net worth, form a single sign-on (SSO) token, verify a user's group, retrieve a value from an HTTP request object, and check the authenticity of a client certificate..

## General

In this sample expression, the value of the attribute "net-worth" is transformed first to eliminate any dollar signs or commas, then the result is evaluated to determine whether the user's net worth falls into a "bronze," "silver," or "gold" category.

```
#result=#this.get("net-worth").toString(),
#result=#result.replace("$",""),
#result=#result.replace(",",""),
#result < 500000 ? "bronze" :
#result < 1000000 ? "silver" : "gold"
```

## Multivalued attribute

```
new org.sourceid.saml20.adapter.attribute.AttributeValue( {"Blue", "Gray", "Pink"})
```

This expression formulates a multivalued attribute in an SSO token.

```
<saml:Attribute Name="clrs" ...>
  <saml:AttributeValue ...>Blue</saml:AttributeValue>
  <saml:AttributeValue ...>Gray</saml:AttributeValue>
  <saml:AttributeValue ...>Pink</saml:AttributeValue>
</saml:Attribute>
```

and

```json
{
  ...,
  "clrs": [
    "Blue",
    "Gray",
    "Pink"
  ],
  ...
}
```

In these truncated samples, `clrs` is the multivalued attribute. The former is a SAML assertion through a SAML service provider (SP) connection. The latter is a JSON web token (JWT) through a WS-Federation SP connection using JWT as the token type.

## Token authorization

This expression verifies whether a user is a member of the "Engineering" or "Marketing" group.

```
#this.get("ds.memberOf")!=null?
(
  (
    #this.get("ds.memberOf").hasValue("CN=Eng,OU=E,DC=contoso,DC=com")
    &&
    #this.get("context.VirtualServerId").toString().equals("Engineering")
  )
  ||
  (
    #this.get("ds.memberOf").hasValue("CN=Mkt,OU=M,DC=contoso,DC=com")
    &&
    #this.get("context.VirtualServerId").toString().equals("Marketing")
  )
):false
```

The following expression extracts the domain information out of an email address (`mail`) and returns true if it matches a specific domain.

```
#this.get("mail")!=null?
(
  #email=#this.get("mail").toString(),
  #atSign="@",
  #at=#mail.indexOf(#atSign),
  #at > 0?
    (
      #domain=#mail.subject(#at+1),
      #domain.matches("(?i)example.com")
    ):false
):false
```

|   |                                                                                                                                                                  |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Line breaks are inserted to both samples for readability only. You must enter statements calling methods whose arguments are enclosed in quote on a single line. |

This sample expression returns true when the IP address of the client is within the specified CIDR range of `fe80::74da:14b:76d1:eba3/128`.

```
#isWithinCidrRange = @com.pingidentity.sdk.CIDROperations@isInRange(#this.get("context.ClientIp"),"fe80::74da:14b:76d1:eba3/128")
```

The `isInRange` method supports both IPv4 and IPv6 CIDR notations.

## HTTP request context

You can use the following example to retrieve a value from an HTTP request object. The expression retrieves the `User-Agent` HTTP header value and compares it against a value required for token authorization.

```
#this.get("context.HttpRequest").getObjectValue().getHeader("User-Agent").equals("somevalue")
```

## STS client authentication context

This security token service (STS) SSL Client Certificate Chain example checks that the issuer of the client certificate matches the specified distinguished name (DN).

```
#this.get("context.StsSSLClientCertChain").getObjectValue()[1].getSubjectX500Principal().equals(new javax.security.auth.x500.X500Principal("CN=Ping Identity Engineering,OU=Engineering,O=Ping Identity,L=Denver,ST=CO,C=USA"))
```

|   |                                                                                                                                                                                                                                                                                                       |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | `#this.get("context.StsSSLClientCertChain").getObjectValue()` returns an array of `java.security.cert.X509Certificate` instances. This array starts with the client certificate itself.For more information, see <https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html>. |

## Related links

* [The OGNL language guide from Apache Commons](https://commons.apache.org/dormant/commons-ognl/language-guide.html)