Benchmarks
Right let's see if we start benchmarking JAS on the usual suspects...
| WS | PHP | Cache | Backend login | Backend about | Frontend |
| Apache | Mod 5.6 | None | 0.057 | 0.138 | 0.167 |
| Apache | Mod 7.0 | None | 0.064 | 0.133 | 0.168 |
| Apache | FPM 5.6 | None | 0.056 | 0.136 | 0.162 |
| Apache | FPM 7.0 | None | 0.061 | 0.136 | 0.165 |
| Apache | FPM 5.6 | opcache | 0.017 | 0.144 | 0.113 |
| Apache | FPM 7.0 | opcache | 0.011 | 0.135 | 0.082 |
| Nginx | FPM 7.0 | opcache | 0.011 | 0.055 | 0.070 |
Not really surprising but interesting to see the combination of Nginx+Opcache+PHP7 makes a huge difference. The backend login page is 5 times faster, the backend about page about 2.5 and the frontpage of the JAS website more twice as fast as compared to a "default" LAMP setup.
JAS 1.1 Release Candidate
After 2 months of hard work we're closing in on JAS 1.1 and we celebrate this with JAS 1.1 RC1!
Here's a quick overview of all the changes:
- Pager plugin supports meta descriptions and keywords and link relations.
- Added Redis memory cache support, fixed Memcached PHP extension support
- Added PostgreSQL support
- Added CSRF protection
- Added advanced filter supports, check out the documentation
- Added some user feature
- Configuration is now cached so it loads a lot faster
- Pretty URLs have been reworked, see the webserver installation for more info
- Date convert can deal with non-English month names
- Various backend improvements
- And more...
Happy hunting!
JAS 1.0 Release Candidate 3
OK, we have been pretty busy over here so we had to delay the 1.0 release. On the upside we've done some extensive testing and decided to do one more release candidate before the final release. This one includes some security fixes, a small change and some other fixes. Next up, the final 1.0 release!
Security audit
So one of the things we wanted to do during the Release Candidate testing was a security audit. We've assessed a number of tools out there (OpenVAS, Nikto and w3af) and we settled on w3af. It allowed us to easily scan JAS for a vast amount of known security issues and gives a good indication of what issues there are and pointers to how to resolve them.
Now since JAS itself is just a framework there's not a lot to audit using a web security scanner. What can however be scanned are website implemented using JAS. So first up was a "full audit" (CSRF, SQLi, XSS, brute force, click jacking, etc.) on this website to see whether it would hold up. The only thing that came out of this was that it was susceptible to click jacking and a number of trivial things around the underlying infrastructure (i.e. the web-server), which is not surprising as it was a stock Apache installation without any security hardening. Other than that no significant security issues were found.
Round 2, let's knock on the door of the JAS backend and see whether we may enter. As the JAS backend requires reasonably strict passwords the standard brute force didn't have any effect. More over since the backend doesn't show anything other than a login box to anonymous users there wasn't anything to break. So as long as you're not leaving your credentials lying around there doesn't seem to be a way into the backend.
Ok so what if you are logged in to the backend and someone tricks you? By far the most elaborate scan we did was the JAS backend with the root user logged in. Like on the website it found it was susceptible to click jacking but it also had 2 XSS issues. The latter is rather serious as that could potentially be used to hijack someones session, effectively getting direct access to the backend. Obviously these issues were resolved and rerunning the full audit showed that both the backend and this website were now almost free of issues.
The only serious issue left is Cross-Site Request Forgery (CSRF) which could allow an attacker to submit content to the JAS backend. That said this would only be possible if you're logged into the JAS backend and you click on a forged link on another tab that was especially crafted for your website. Since fixing this issue would affect almost every form in JAS it was decided to push the fix to JAS 1.1.
JAS 1.0 Release Candidate 2
Many thanks to my loyal test team for breaking RC1, here's RC2! It includes around 40 fixes for a variety of things however it also includes a few changes that we just had to sneak in:
- array field type can now be used let SQL check a list of values
- going to project/ will now open the project frontend (rather that then old project/jas/project/ url)
- search.js is now a core script and the wysiwyg.js uses css for its styling
Happy hunting!
JAS 1.0 Release Candidate
After a lot of rework, fixes and a complete rewrite of the backend,
JAS 1.0 RC1 is finally here. There are a vast amount of changes since the previous release, so some rigorous testing will need to be done to ensure it's stable enough for a final 1.0 release. This will be done over the coming weeks after which the final release will be posted here.
On a pleasant side note, we also managed to squeeze in the changes for PHP 7. Although the changes touched pretty much every part of JAS, the impact was quite limited. Long story short, running JAS on PHP 7 should be a walk in the park, that is, assuming no fundamental changes will be done to PHP 7 after RC6.
PHP 7
We've had a first go at PHP 7 and admittedly... it's fast! The "startup" time on JAS backend pages seems to be about 0.02 seconds less than PHP 5 and the more elaborate pages load about twice as fast. For example the backend database overview loads in about 0.12 seconds compared to 0.23 with PHP 5.
So this alone is probably worth making the necessary changes to JAS to support PHP 7. Which actually doesn't seem like it's going to be a huge challenge so far the only thing that failed miserably is the fact that a "Error" class was introduced which clashes with the JAS Error class. Other than that the it seems wise to rename the class constructors to "__construct" as the old naming convention will probably be deprecated soon.
Long story short, JAS version 1.0 will probably support PHP 7 out of the box!
Almost there
After a nice little bit of clean up and restructuring JAS is now getting close to being released to the general public. We'll soon commence the "release candidate" testing to make sure all major issues are out of the way so you'll have smooth landing when you first try it out.
Until then however we'll be finishing up the last 2 new features for the backend:
- Project manager, which will allow you create and manage your projects' basics like the database configuration, core users and modules.
- Data import and export, to easily dump your data to CSV, XML, etc and import it in other installations.
