|Description||manuals and libraries|
Kernel::WebApp - Entry point for the built-in web server based on Mojolicious.
This class represents the OTRS web application, an HTTP server based on Mojolicious.
It serves both the legacy front-end(s) of OTRS, such as the
agent interface, and also the
External Interface frontend application.
All modern front-ends are client-side, single-page applications generated with
webpack, that use a
REST API on the server. This is what most of
Kernel::WebApp is about. The following security measures are in place:
Content Security Policy
Content Security Policy headers are set for the client application, restricting access to the current server only. See Kernel::WebApp::Controller::Role::SetsSecurityHeaders for details.
webpack-generated assets folder. Any other scripts (inline, from different folders or from remote) will be ignored. Also other resource types are restricted as much as possible.
JSON Web Tokens
JSON Web Tokens (RFC 7519) are used for cryptographically secured, client-side storage of authentication information. These tokens have to be sent using the standard
HTTP Authentication header. They contain only minimal information (such as username) are stored in the
localStorage on the client side. Tokens can be revoked in the session administration.
The tokens also include information about the remote IP address, and are invalidated if this changes (can be turned off with the
CheckSessionRemoteIP option). This also works behind reverse proxies, if proxy support is enabled in
Endpoints can specify that they can only be used with a valid token, otherwise a
401 Unauthorized response will be automatically generated (see Kernel::WebApp::Controller::API::Role::RequiresCustomerAuthentication).
Endpoints can specify that they can also be called with a cookie containing the token. This is necessary, because in some contexts (like loading inline images) it is not possible to send custom
To guard against
CSRF attacks, these cookies are generated by the server with the
httpOnly option, and are only accepted by the endpoints that really need it.
Endpoints specify which kind of input data they expect (see Kernel::WebApp::Controller::API::Role::ValidatesInputData and Kernel::System::DataValidation). This will cause an implicit validation of this data and can include deep validations like checking for an existing
In case of errors, a
422 Unprocessable Entity response will automatically be generated.
This method will run once at server start.
Locate and load all plugins from
Locate and load all routes from