NAME
Kernel::WebApp – Entry point for the built-in web server based on Mojolicious.
DESCRIPTION
This class represents the OTRS web application, an HTTP server based on Mojolicious.
It serves both the legacy front-end(s) of OTRS, such as the agent interface
, and also the webpack
-based new External Interface
frontend application.
Security Concept of the Agent & External Interfaces and the REST
API
All modern front-ends are client-side, single-page applications generated with webpack
, that use a REST
API on the server. This is what most of Kernel::WebApp
is about. The following security measures are in place:
Content Security Policy
-
Content Security Policy
headers are set for the client application, restricting access to the current server only. See Kernel::WebApp::Controller::Role::SetsSecurityHeaders for details.Most notably,
JavaScript
code can only be fetched from thewebpack
-generated assets folder. Any other scripts (inline, from different folders or from remote) will be ignored. Also other resource types are restricted as much as possible. JSON Web Tokens
-
For authentication,
JSON Web Tokens
(RFC 7519) are used for cryptographically secured, client-side storage of authentication information. These tokens have to be sent using the standardHTTP Authentication
header. They contain only minimal information (such as username) are stored in thelocalStorage
on the client side. Tokens can be revoked in the session administration.The tokens also include information about the remote IP address, and are invalidated if this changes (can be turned off with the
CheckSessionRemoteIP
option). This also works behind reverse proxies, if proxy support is enabled inWebApp.conf
.Endpoints can specify that they can only be used with a valid token, otherwise a
401 Unauthorized
response will be automatically generated (see Kernel::WebApp::Controller::API::Role::RequiresCustomerAuthentication). - Restricted use of
Cookies
-
Endpoints can specify that they can also be called with a cookie containing the token. This is necessary, because in some contexts (like loading inline images) it is not possible to send custom
HTTP
headers.To guard against
CSRF
attacks, these cookies are generated by the server with thehttpOnly
option, and are only accepted by the endpoints that really need it. - Deep validation of input data
-
Endpoints specify which kind of input data they expect (see Kernel::WebApp::Controller::API::Role::ValidatesInputData and Kernel::System::DataValidation). This will cause an implicit validation of this data and can include deep validations like checking for an existing
TicketID
.In case of errors, a
422 Unprocessable Entity
response will automatically be generated.
PUBLIC INTERFACE
startup()
This method will run once at server start.
LoadPlugins()
Locate and load all plugins from Kernel/WebApp/Plugin
.
LoadRoutes()
Locate and load all routes from Kernel/WebApp/Controller
.