Uploaded image for project: 'Nuxeo Drive '
  1. Nuxeo Drive
  2. NXDRIVE-30

Client certificate authentication for Nuxeo Drive

    XMLWordPrintable

    Details

      Description

      Let's say we have an Apache Reverse Proxy in front of our Nuxeo server that authenticates with certificates as described here: http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol. The Apache sends a REMOTE_USER header to Nuxeo which we use with the Trusting_LM module to accomplish authentication in Nuxeo.

      Since the secure certificate is sent with each request, the existing Nuxeo Drive authentication mechanisms do not make sense in this environment. Furthermore, implementing client certificate authentication in Python is a bit messy (see http://stackoverflow.com/questions/1875052/using-paired-certificates-with-urllib2). The big problem with Python 2.x SSL client certification concerns how the certificate password is captured. By default, Python 2.x with urllib2 will prompt for the password upon each request, which is unacceptable. Python 3.x allows the password to be captured externally and then passed to the underlying http library to open and subsequently pass the certificate to the server. PyCurl (http://pycurl.sourceforge.net/) can be used with Python 2.x to achieve the same result. However, PycURL introduces a native dependency on libcurl which may or may not be desired.

      Nuxeo Drive currently relies on the standard urllib2 library.
      => We could consider using PycURL as opposed to urllib2 in Nuxeo Drive.

      Also, in such an environment, storing the certificate password would be unacceptable. So Nuxeo Drive would need to prompt for the password each time it is started.

      See NXDRIVE-31 for using PycURL instead of urllib2 as the main HTTP library,a nd WIP in dedicated branch: https://github.com/nuxeo/nuxeo-drive/tree/feature-NXP-14046-migrate-urllib2-to-pycurl

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 10 minutes
                  10m

                    PagerDuty