Loading the initial configuration (when setting up the session) take too long. This should be cached (automagically detecting the cache method, i.e. mem, module, file) on a project by project basis and any subsequent config loads should use the cached version.
To reduce dependency on Apache (and thus opening JAS up for other webservers) the htaccess+modrewrite rule should be moved to JAS. This also allows the configuration to more easily enable/disable the functionality.
Currently the MIME database (include/mime.xml) is a static list provided as part of JAS. It would be handy if this list could easily be updated via the backend.
The question that comes to mind however is whether upgrade should overwrite a customized version. It seems rather annoying if you spend time to add your own MIME types that are subsequently forgotten when JAS is upgraded. Maybe adding a flag "custom" to the XML file to indicate it shouldn't be touched by upgrades.
High priority and low impact can and should be quickly fixed whereas low priority and high impact will end up lower on the list. With this in mind a "ranking" can be determined using the priority and impact fields (similar to the risk score in the Procon plugin).
Priority scores:
High
Medium
Low
Impact score:
LowMedium
High
Ranking = Priority score + Impact score - 1
Examples:
1 = High priority + Low impact
2 =
High priority + Medium impact
2 = ...
Generally show_from+show_total are used to split data over multiple pages. As such it's seems logical to support this natively. If show_page is set it should be used to calculate show_from (show_page * show_total) prior to getting the data (and thus overwriting the set show_from). When the data is gathered and show_count is set this value should be used to calculate show_pages ( ceil ( show_count / show_total)).
Templates using root_url in a native project (default project isn't JAS) seems to incorrectly create the URLs. Presumably this is due to the "/images/" functionality in the pager plugin.
The file (and image) field should get an additional field for the MD5 hash. The /files/ would then need a "MD5" variable that would download a "text/plain" file with the hash as content. The filename can be generated based on the original filename and a .md5 suffix (filename.ext.md5).
Note that it's probably wise to add a MD5 property to the file/image fields to allow it to be enabled/disabled.