Joomla 1.0 and 1.5 have a basic, but workable security model based on a simple access control list (ACL) framework.

In Joomla 1.0, the "killer-app" for extending the core ACL into a rich ACL solution is JACLPlus by www.byostech.com

In Joomla 1.5, for some reasons I'll explore below, the answer isn't so easy.

In the forthcoming Joomla 1.6 release, the answer is easy again, because fine grain extensible ACL is being provided in the core!  (go core team)

If it's so damn good, why not just continue to use JACLPlus in Joomla 1.5?  Well, because the byostech folks decided to tighten up the rules around the product so that they'd make a little more money (good commercial decision, sucky decision for the GPL community).  JACLPlus for Joomla 1.5 is only available in an encrypted "ioncube" "Pro" version that is purchased on a subscription plan.  Subscription plans are totally fine and acceptable (even encouraged) in the Joomla universe.  But encrypted solutions are frowned upon, both because they prevent open access to the code in the spirit of open source, and because the libraries required to decrypt them at runtime (on-the-fly) are often not included in the hosting environments that a lot of people use. Therefore, JACLPlus went from being the no-brainer darling ACL solution for Joomla 1.0 to the "oh dammit, there's limitations" solution for Joomla 1.5. 

Accordingly, along came alternatives like NOIX and JUGA.

These new entrants trumpet their openess ("we're not encrypted") and that they don't "hack the core", which on the surface appears to be a good thing.  This might appear to be a good thing, but when it comes to security, it turns out that these "layered" security solutions leave some pretty wide open holes in the security model that defeat the purpose of having advanced security in the first place.

It turns out that JUGA also requires you to purchase a subscription to access the current version; putting in on par with JACLPlus on the licensing comparison.

I've looked hard at JUGA, NOIX, and JACLPlus Pro for Joomla 1.5, and my professional opinion is that for hard core, extended security on Joomla 1.5, JACLPlus Pro is STILL the component that I recommend to all of my customers (and anyone else who cares to listen).  JUGA and NOIX are good solutions, and clearly, many many people find them just the trick for their website.  If they work for you, then ROCK ON!

However, it's feedback like the following post on the Joomla Extensions Directory for JUGA that highlights that the only way to really ensure security is enforced in a Joomla 1.5 site is to accept that you need to modify the core and the components you use to natively support security inside the component instead of layering security over the top of the core and components and hope that you catch every pathway into the product data:

From the Joomla Extensions Directory - http://extensions.joomla.org/extensions/2587/details

"Close, but no cigar by AprilFloyd on December 19, 2008

We have installed this on a clients website and were initially impressed by it. Everyone know that user groups is not a joomla strong point and it seems to fit the bill. There are some issues we found:

1. Hiding/Showing menu links does not always work well depending on your template menu system. (e.g. if you are using/modifying templates from joomlart or yootheme, you may find things not as straightforward as juga suggest.

2. Search - we found that you could hide/show content easily enough based on user groups, but that content can still be found if you search for it. Which kind of defeats the purpose.

3. Links to Sections/Categories - If you are displaying a list of links e.g with a section list those articles that you have set to be hidden will still show.

4. It is recommended that you only 'synchronize' your content with JUGA when you first install, but we found that site items did not always show up.

Overall we like this component and feel the developers have done a good job and addressing something that we will all find useful.

We are sticking with it and will use it again. We recommend it."

ACL components like JUGA and NOIX enforce security by trying to stop your access to the content as its being delivered to the screen by intercepting it.  That works everywhere you can intercept it.  But as noted above, menus, search, table listings, and other elements make this difficult to do.  JACLPlus attacks this head on, and just modifies the core and popular components to enforce the security rules natively BEFORE information is delivered to the screen.  Yes, some people call this "hacking", but the patching solution provided by JACLPlus is one of the most professional solutions I've seen (all extensions could aspire to patch as well as the com_patch component provided by JACLPlus; the only peers that I've seen so far are valanx.org - AEC and Sam Moffat's code).  It is my opinion that these patches that go to the heart of security are the best approach to ensuring that you really are securing content on your website.  This is also how fine grain ACL is addressed in Joomla 1.6. It's also interesting to note that JUGA's solution for fixing the gaps where security enforcement slips through is for you to "modify" the code in question, for example, from Joomla Extension Directory for JUGA:

"Some templates use their own internal module for displaying menus -- this is not something we can control (nor do we want to).

In these cases, to make the module recognize JUGA's restrictions, you will have to modify the template's internal module."

Who wants their menu to enforce security?   Everyone.  Therefore, you'll need to "modify" aka "hack" the menu to make it enforce security.  My thinking is that if you're going to have to "modify" things anyway, why not use a solution that does that for you out of the box, that provides a really simply way of doing it, and has been doing it for four years?  That's what JACLPlus does.

Now, on the pricing front, JACLPlus does require you to pay.  They require you to become a Charter Member to access both the core component and the extension patches.  Their price?  USD$38 for three months.  You can install JACLPlus Pro on three websites for that price. JUGA is similar, but slightly cheaper.  Their price? USD$49.99 for six months.  These prices are so similar, and small, that price is not a differentiator in the analysis of these products.

One of the nice benefits of being a Charter Member is that they will produce patches for you when you start using a component that does not have native extended ACL support.  Many times I've submitted a patch request, and within 48 hours they have sent back the patch for me.  I did this most recently just last week, when I asked for a patch for the very latest release of Kunena, version 1.5.5.  I received the patch within 24 hours.

So, just exactly what does JACLPlus provide enhanced security for?  Well, here is the list that I am using:

• Core articles, categories, sections, menus, and modules
• Community Builder
• DocMan
• JEvents
• Joomfish
• Kunena
• VirtueMart (only very basic security)
• XMap

The byostech.com team provides patches for all of these components.  That's a pretty extensive security offering.  Plus, as a Charter Member, you can request more.

A number of other components support JACLPlus out of the box without requiring a patch, including:

• Account Expiration Control (AEC)
• ACAJoom PRO (the commercial upgrade of ACAJoom)
• EventList
• Fabrik
• Phoca Gallery

However, that all said, what is my number one feature request for JACLPlus for Joomla 1.5?

Get rid of the iocube encryption!!!  It makes it hard to roll out the solution on normal hosting environments, and it is acting as a barrier to most Joomla users from more widely adopting JACLPlus as THE ACL solution for Joomla 1.5.

In fact... this is my only feature request for JACLPlus for Joomla 1.5.

It is my opinion, that if you want the most complete security extension for Joomla 1.5, then JACLPlus Pro is your best bet.

Be first to comment this article

Only registered users can write comments.
Please login or register.

Powered by AkoComment Tweaked Special Edition v.1.4.6
AkoComment © Copyright 2004 by Arthur Konze - www.mamboportal.com
All right reserved