Latest JAS v1.1.0
144 plugins online

Documentation

Although the documentation has been available for quite a while, a fundamental part was still missing: the code itself. As of now the full function reference is available so you can easily lookup how to use the JAS code base. Note that this is currently still auto-generated so there's still a lot of descriptions missing.
Posted on Wednesday 7th of September 2016 in Documentation, JAS,

JAS 1.1 has been released

JAS 1.1 is now available for download, here are the highlights: 

For more information about the changes please refer to the RC 1 news message or the  Issue tracker.

Note that the upgrade process from 1.0 to 1.1 is unfortunately not seamless. Check the documentation on how to upgrade!

Thanks all for the hard work!
Posted on Thursday 9th of June 2016 in JAS, Release,

Benchmarks

Right let's see if we start benchmarking JAS on the usual suspects...

WS PHP Cache Backend login Backend about Frontend
Apache Mod 5.6 None 0.057 0.138 0.167
Apache Mod 7.0 None 0.064 0.133 0.168
Apache FPM 5.6 None 0.056 0.136 0.162
Apache FPM 7.0 None 0.061 0.136 0.165
Apache FPM 5.6 opcache 0.017 0.144 0.113
Apache FPM 7.0 opcache 0.011 0.135 0.082
Nginx FPM 7.0 opcache 0.011 0.055 0.070

Not really surprising but interesting to see the combination of Nginx+Opcache+PHP7 makes a huge difference. The backend login page is 5 times faster, the backend about page about 2.5 and the frontpage of the JAS website more twice as fast as compared to a "default" LAMP setup.
Posted on Sunday 5th of June 2016 in JAS, PHP 7, Testing,

JAS 1.1 Release Candidate

After 2 months of hard work we're closing in on JAS 1.1 and we celebrate this with JAS 1.1 RC1! 

Here's a quick overview of all the changes:

Happy hunting!
Posted on Wednesday 18th of May 2016 in JAS, Release, Testing,

JAS 1.0 goes public!

After many years of hard work JAS has finally been released to the world! JAS is a free web application platform which makes the life of your developers and application managers easier. It's an open source Content Management Framework that allows you to quickly create elaborate web-applications. Due to its consistent data approach you don't have to worry about how your data is managed and instead you can focus on how your applications actually work.


JAS relies solely on open source technology that is freely available and therefore the whole solution can be rolled out for free. Installing it is simply a matter of downloading the release, unpacking it in the web directory and setting up the password, which can be done in 30 seconds flat. To give you an idea about what JAS is, this website runs on JAS and this is how the backend looks. For more in-depth information please refer to the introduction or check out the full documentation.


Many thanks to everybody that has contributed to JAS over the years!

Posted on Friday 4th of March 2016 in JAS, Release,

JAS 1.0 Release Candidate 3

OK, we have been pretty busy over here so we had to delay the 1.0 release. On the upside we've done some extensive testing and decided to do one more release candidate before the final release. This one includes some security fixes, a small change and some other fixes. Next up, the final 1.0 release!
Posted on Thursday 25th of February 2016 in JAS, Release, Testing,

Security audit

So one of the things we wanted to do during the Release Candidate testing was a security audit. We've assessed a number of tools out there (OpenVAS, Nikto and w3af) and we settled on w3af. It allowed us to easily scan JAS for a vast amount of known security issues and gives a good indication of what issues there are and pointers to how to resolve them.

Now since JAS itself is just a framework there's not a lot to audit using a web security scanner. What can however be scanned are website implemented using JAS. So first up was a "full audit" (CSRF, SQLi, XSS, brute force, click jacking, etc.) on this website to see whether it would hold up. The only thing that came out of this was that it was susceptible to click jacking and a number of trivial things around the underlying infrastructure (i.e. the web-server), which is not surprising as it was a stock Apache installation without any security hardening. Other than that no significant security issues were found.

Round 2, let's knock on the door of the JAS backend and see whether we may enter. As the JAS backend requires reasonably strict passwords the standard brute force didn't have any effect. More over since the backend doesn't show anything other than a login box to anonymous users there wasn't anything to break. So as long as you're not leaving your credentials lying around there doesn't seem to be a way into the backend.

Ok so what if you are logged in to the backend and someone tricks you? By far the most elaborate scan we did was the JAS backend with the root user logged in. Like on the website it found it was susceptible to click jacking but it also had 2 XSS issues. The latter is rather serious as that could potentially be used to hijack someones session, effectively getting direct access to the backend. Obviously these issues were resolved and rerunning the full audit showed that both the backend and this website were now almost free of issues.

The only serious issue left is Cross-Site Request Forgery (CSRF) which could allow an attacker to submit content to the JAS backend. That said this would only be possible if you're logged into the JAS backend and you click on a forged link on another tab that was especially crafted for your website. Since fixing this issue would affect almost every form in JAS it was decided to push the fix to JAS 1.1.
Posted on Saturday 2nd of January 2016 in JAS, Release, Security, Testing,

JAS 1.0 Release Candidate 2

Many thanks to my loyal test team for breaking RC1, here's RC2It includes around 40 fixes for a variety of things however it also includes a few changes that we just had to sneak in:
  • array field type can now be used let SQL check a list of values
  • going to project/ will now open the project frontend (rather that then old project/jas/project/ url)
  • search.js is now a core script and the wysiwyg.js uses css for its styling

Happy hunting!
Posted on Monday 21st of December 2015 in JAS, Release, Testing,

Next release thoughts

RC1 testing is well underway and it seems there aren't too many bugs so the final release is not going to be long. So this would be a nice time to have a look at the next release, here are a couple of things you can expected.

  • Reference text fields support
    Wouldn't it be nice if you could just type the first few characters of a reference and it would automatically link it instead of having to look through a dropdown list? And if you typed something that doesn't exist that it is automatically added? Inspired by the blog tags this feature will be available for all references.
  • Configurable users module
    The currently user module is pretty basic which and although it does what it says on the tin you might need some more flexbility. Think of email validation, preset language and timezone, IP restrictions, brute force protections, etc.
  • JAS Daemon
    Schedulars are very nice and all but they just don't cut it for realtime processing of information. The JAS daemon will continuously monitor a variety of services (think HTTP, FTP, POP, file systems, etc) and get busy if action is required. Additionally it will have a build-in schedular so it can poll things like RSS feeds.
  • JSON & RSS APIs
    Of course JAS also needs a JSON API, we just didn't get around to building it. Additionally being able to monitor comment posts on your website via RSS would be nice right?
  • Workflow
    JAS already supports basic workflows for modules but anyone that can edit the module data can change its workflow state. The idea is to have events in the module that get triggered on a state change which can apply additional logic to determine whether the state change is allowed.
  • Encryption / Decryption
    Currently JAS only supports password hashing, the next release will have encrypt/decrypt for a number of the typical ciphers. This would for example enable PGP file signatures.

Have a look at the other changes that are lined up for 1.1.
Posted on Wednesday 25th of November 2015 in JAS, Release,

JAS 1.0 Release Candidate

After a lot of rework, fixes and a complete rewrite of the backend, JAS 1.0 RC1 is finally here. There are a vast amount of changes since the previous release, so some rigorous testing will need to be done to ensure it's stable enough for a final 1.0 release. This will be done over the coming weeks after which the final release will be posted here.

On a pleasant side note, we also managed to squeeze in the changes for PHP 7. Although the changes touched pretty much every part of JAS, the impact was quite limited. Long story short, running JAS on PHP 7 should be a walk in the park, that is, assuming no fundamental changes will be done to PHP 7 after RC6.
Posted on Tuesday 10th of November 2015 in JAS, PHP 7, Release, Testing,

PHP 7

We've had a first go at PHP 7 and admittedly... it's fast! The "startup" time on JAS backend pages seems to be about 0.02 seconds less than PHP 5 and the more elaborate pages load about twice as fast. For example the backend database overview loads in about 0.12 seconds compared to 0.23 with PHP 5. 

So this alone is probably worth making the necessary changes to JAS to support PHP 7. Which actually doesn't seem like it's going to be a huge challenge so far the only thing that failed miserably is the fact that a "Error" class was introduced which clashes with the JAS Error class. Other than that the it seems wise to rename the class constructors to "__construct" as the old naming convention will probably be deprecated soon. 

Long story short, JAS version 1.0 will probably support PHP 7 out of the box!
Posted on Wednesday 30th of September 2015 in JAS, PHP 7, Testing,

Almost there

After a nice little bit of clean up and restructuring JAS is now getting close to being released to the general public. We'll soon commence the "release candidate" testing to make sure all major issues are out of the way so you'll have smooth landing when you first try it out. 

Until then however we'll be finishing up the last 2 new features for the backend:
  • Project manager, which will allow you create and manage your projects' basics like the database configuration, core users and modules.
  • Data import and export, to easily dump your data to CSV, XML, etc and import it in other installations.
Posted on Monday 28th of September 2015 in Backend, JAS, Testing,

Tags

Backend Design Documentation JAS PHP 7 Release Security Testing Website