Let's say we have an Apache Reverse Proxy in front of our Nuxeo server that authenticates with certificates as described here: http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol. The Apache sends a REMOTE_USER header to Nuxeo which we use with the Trusting_LM module to accomplish authentication in Nuxeo.
Since the secure certificate is sent with each request, the existing Nuxeo Drive authentication mechanisms do not make sense in this environment. Furthermore, implementing client certificate authentication in Python is a bit messy (see http://stackoverflow.com/questions/1875052/using-paired-certificates-with-urllib2). The big problem with Python 2.x SSL client certification concerns how the certificate password is captured. By default, Python 2.x with urllib2 will prompt for the password upon each request, which is unacceptable. Python 3.x allows the password to be captured externally and then passed to the underlying http library to open and subsequently pass the certificate to the server. PyCurl (http://pycurl.sourceforge.net/) can be used with Python 2.x to achieve the same result. However, PycURL introduces a native dependency on libcurl which may or may not be desired.
Nuxeo Drive currently relies on the standard urllib2 library.
=> We could consider using PycURL as opposed to urllib2 in Nuxeo Drive.
Also, in such an environment, storing the certificate password would be unacceptable. So Nuxeo Drive would need to prompt for the password each time it is started.
NXDRIVE-31 for using PycURL instead of urllib2 as the main HTTP library,a nd WIP in dedicated branch: https://github.com/nuxeo/nuxeo-drive/tree/feature-NXP-14046-migrate-urllib2-to-pycurl