refactor EAAF core to split API and Implementation

6 files changed, 747 insertions, 0 deletions

diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/IAuthenticationManager.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/IAuthenticationManager.java
new file mode 100644
index 00000000..4381211d
--- /dev/null
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/IAuthenticationManager.java
@@ -0,0 +1,94 @@
+/*******************************************************************************
+ * Copyright 2017 Graz University of Technology
+ * EAAF-Core Components has been developed in a cooperation between EGIZ,  
+ * A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *  
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+package at.gv.egiz.eaaf.core.api.idp.auth;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+
+public interface IAuthenticationManager {
+	
+	public static int EVENT_AUTHENTICATION_PROCESS_FOR_SP = 4003;
+	public static int EVENT_AUTHENTICATION_PROCESS_STARTED = 4000;
+	public static int EVENT_AUTHENTICATION_PROCESS_FINISHED = 4001;
+	public static int EVENT_AUTHENTICATION_PROCESS_ERROR = 4002;
+	
+		
+	/**
+	 * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
+	 * 
+	 * @param httpReqParam http parameter name, but never null
+	 */
+	void addParameterNameToWhiteList(String httpReqParam);
+
+	/**
+	 * Add a request header to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
+	 * 
+	 * @param httpReqParam http header name, but never null
+	 */
+	void addHeaderNameToWhiteList(String httpReqParam);
+	
+
+	/**
+	 * Starts an authentication process for a specific pending request
+	 * 
+	 * @param httpReq http servlet request
+	 * @param httpResp http servlet response
+	 * @param pendingReq Pending request for that an authentication is required
+	 * @return true if the pending request is already authenticated, otherwise false
+	 * @throws EAAFException
+	 */
+	boolean doAuthentication(HttpServletRequest httpReq, HttpServletResponse httpResp,
+			IRequest pendingReq) throws EAAFException;
+	
+	/**
+	 * Close an active authenticated session on IDP side
+	 * 
+	 * @param request http servlet request
+	 * @param response http servlet response
+	 * @param pendingReq ReqPending request for that an authentication session should be closed
+	 */
+	void performOnlyIDPLogOut(HttpServletRequest request, HttpServletResponse response, IRequest pendingReq);
+	
+		
+	/**
+	 * Close an active authenticated session on IDP side and get a list authenticated service providers
+	 * 
+	 * @param request http servlet request
+	 * @param response http servlet response
+	 * @param pendingReq ReqPending request for that an authentication session should be closed
+	 * @param internalSSOId internal SSO session identifier 
+	 * @return A container that contains all active SP sessions
+	 * @throws EAAFException
+	 */
+	ISLOInformationContainer performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq, String internalSSOId) throws EAAFException;
+
+	
+}
\ No newline at end of file
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/ISSOManager.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/ISSOManager.java
new file mode 100644
index 00000000..5481fd52
--- /dev/null
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/ISSOManager.java
@@ -0,0 +1,130 @@
+/*******************************************************************************
+ * Copyright 2017 Graz University of Technology
+ * EAAF-Core Components has been developed in a cooperation between EGIZ,  
+ * A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *  
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+package at.gv.egiz.eaaf.core.api.idp.auth;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
+import at.gv.egiz.eaaf.core.exceptions.EAAFSSOException;
+
+public interface ISSOManager {
+	
+	//TODO
+	public static int EVENT_SSO_SESSION_INVALID = -1;
+	public static int EVENT_SSO_SESSION_VALID = -1;
+	
+	
+	public static final String PROCESS_ENGINE_SSO_CONSENTS_EVALUATION = "ssoconsentsevaluation";
+	public static final String AUTH_DATA_SSO_SESSIONID	= "eaaf_authdata_sso_sessionId";
+	
+	
+	/**
+	 * Check if there is an active and valid SSO session for the current pending request.
+	 * <br>
+	 * If there is an active SSO session, the pending request will be populated with eID information from SSO session 
+	 * 
+	 * @param pendingReq Current incoming pending request
+	 * @param httpReq http Servlet request
+	 * @param httpResp http Servlet response
+	 * @return true if there is a valid SSO session, otherwise false
+	 * @throws EAAFSSOException
+	 */
+	public boolean checkAndValidateSSOSession(IRequest pendingReq, HttpServletRequest httpReq, HttpServletResponse httpResp) throws EAAFSSOException;
+	
+	/**
+	 * Populate service provider specific SSO settings
+	 * 
+	 * Check if Single Sign-On is allowed for the current pending request and the requested service provider
+	 * Set IRequest.needSingleSignOnFunctionality() to true if SSO is allowed  
+	 * 
+	 * @param pendingReq Current incoming pending request
+	 * @param httpReq http Servlet request
+	 */
+	public void isSSOAllowedForSP(IRequest pendingReq, HttpServletRequest httpReq);
+	
+	
+	/**
+	 * Populate the current pending request with eID information from an existing SSO session 
+	 * 
+	 * @param pendingReq pending request that should be populated by SSO session
+	 * @throws EAAFSSOException if pending request contains no SSO information or population failed
+	 */
+	public void populatePendingRequestWithSSOInformation(IRequest pendingReq) throws EAAFSSOException;
+	
+	
+	/**
+	 * Destroy an active SSO session on IDP site only
+	 * 
+	 * @param httpReq http servlet request
+	 * @param httpResp http servlet response
+	 * @param pendingReq 
+	 * @return true if a SSO session was closed successfully, otherwise false
+	 * @throws EAAFSSOException in case of an internal processing error
+	 */
+	public boolean destroySSOSessionOnIDPOnly(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq) throws EAAFSSOException;
+	
+	
+	
+	/**
+	 * Create a new SSO session-cookie for a specific pendingRequest and add it into http response
+	 * 
+	 * @param req http Request
+	 * @param resp http Response
+	 * @param pendingReq Current open PendingRequest 
+	 * @return new created SSO identifier
+	 * @throws EAAFSSOException
+	 */
+	public String createNewSSOSessionCookie(HttpServletRequest req, HttpServletResponse resp, IRequest pendingReq)  throws EAAFSSOException;
+
+	
+	/**
+	 * Create a new SSO session in database
+	 * 
+	 * @param pendingReq
+	 * @param newSSOSessionId
+	 * @throws EAAFSSOException
+	 */
+	public void createNewSSOSession(IRequest pendingReq, String newSSOSessionId) throws EAAFSSOException;
+
+
+	/**
+	 * Updateing an existing SSO session in database
+	 * 
+	 * @param pendingReq
+	 * @param newSSOSessionId
+	 * @param sloInformation
+	 * @throws EAAFSSOException
+	 */
+	public void updateSSOSession(IRequest pendingReq, String newSSOSessionId, SLOInformationInterface sloInformation)  throws EAAFSSOException;
+
+
+
+
+
+}
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IAuthProcessDataContainer.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IAuthProcessDataContainer.java
new file mode 100644
index 00000000..17ec6445
--- /dev/null
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IAuthProcessDataContainer.java
@@ -0,0 +1,185 @@
+/*******************************************************************************
+ * Copyright 2017 Graz University of Technology
+ * EAAF-Core Components has been developed in a cooperation between EGIZ,  
+ * A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *  
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+package at.gv.egiz.eaaf.core.api.idp.auth.data;
+
+import java.util.Date;
+import java.util.Map;
+
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
+
+public interface IAuthProcessDataContainer {
+
+	/**
+	 * Returns the issuing time of the AUTH-Block SAML assertion.
+	 * 
+	 * @return The issuing time of the AUTH-Block SAML assertion.
+	 */
+	String getIssueInstant();
+
+	/**
+	 * Sets the issuing time of the AUTH-Block SAML assertion.
+	 * 
+	 * @param issueInstant
+	 *            The issueInstant to set.
+	 */
+	void setIssueInstant(String issueInstant);
+	
+	/**
+	 * Indicate if the authentication process is finished
+	 * 
+	 * @return
+	 */
+	boolean isAuthenticated();
+
+	/**
+	 * Mark the authentication as authenticated, which means that the authenication process is completed
+	 * 
+	 * @param authenticated
+	 */
+	void setAuthenticated(boolean authenticated);
+	
+	/**
+	 * Returns the identityLink.
+	 * 
+	 * @return IdentityLink
+	 */
+	@Deprecated
+	IIdentityLink getIdentityLink();
+	
+	/**
+	 * Sets the identityLink.
+	 * 
+	 * @param identityLink
+	 *            The identityLink to set
+	 */
+	@Deprecated
+	void setIdentityLink(IIdentityLink identityLink);
+	
+	
+	/**
+	 * Flag marks the authentication process as new E-ID process 
+	 * 
+	 * @return true if E-ID process, otherwise false
+	 */
+	boolean isEIDProcess();
+	
+	
+	/**
+	 * Set the flag to make the process as new E-ID process 
+	 * 
+	 * @param value true if new E-ID process, otherwise false
+	 */
+	void setEIDProcess(boolean value);
+	
+	/**
+	 * Indicate that mandates was used in this auth. process
+	 * 
+	 * @return
+	 */
+	boolean isMandateUsed();
+	
+	/**
+	 * Mark that mandates was used in this auth. process
+	 * 
+	 * @param useMandates
+	 */
+	void setUseMandates(boolean useMandates);
+
+	/**
+	 * Indicate that the auth. process was performed by a foreigner
+	 * 
+	 * @return
+	 */
+	boolean isForeigner();
+
+	/**
+	 * Mark that the auth. process was done by a foreigner
+	 * 
+	 * @param isForeigner
+	 */
+	void setForeigner(boolean isForeigner);
+	
+	/**
+	 * Indicate that the auth. process was performed by an official representatives 
+	 * 
+	 * @return is official representatives 
+	 */
+	boolean isOW();
+
+	/**
+	 * Mark that the auth. process was done by an official representatives 
+	 *            
+	 */
+	void setOW(boolean isOW);
+	
+	/**
+	 * eIDAS QAA level
+	 * 
+	 * @return the qAALevel
+	 */
+	String getQAALevel();
+
+	/**
+	 * set QAA level in eIDAS form
+	 * 
+	 * @param qAALevel the qAALevel to set
+	 */
+	void setQAALevel(String qAALevel);
+
+	/**
+	 * @return the sessionCreated
+	 */
+	Date getSessionCreated();
+
+	Map<String, Object> getGenericSessionDataStorage();
+
+	/**
+	 * Returns a generic session-data object with is stored with a specific identifier 
+	 * 
+	 * @param key The specific identifier of the session-data object
+	 * @return The session-data object or null if no data is found with this key
+	 */
+	Object getGenericDataFromSession(String key);
+
+	/**
+	 * Returns a generic session-data object with is stored with a specific identifier 
+	 * 
+	 * @param key The specific identifier of the session-data object
+	 * @param clazz The class type which is stored with this key
+	 * @return The session-data object or null if no data is found with this key
+	 */
+	<T> T getGenericDataFromSession(String key, Class<T> clazz);
+
+	/**
+	 * Store a generic data-object to session with a specific identifier
+	 * 
+	 * @param key Identifier for this data-object
+	 * @param object Generic data-object which should be stored. This data-object had to be implement the 'java.io.Serializable' interface
+	 * @throws EAAFStorageException Error message if the data-object can not stored to generic session-data storage
+	 */
+	void setGenericDataToSession(String key, Object object) throws EAAFStorageException;
+}
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IIdentityLink.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IIdentityLink.java
new file mode 100644
index 00000000..df71b30a
--- /dev/null
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/data/IIdentityLink.java
@@ -0,0 +1,182 @@
+/*******************************************************************************
+ * Copyright 2017 Graz University of Technology
+ * EAAF-Core Components has been developed in a cooperation between EGIZ,  
+ * A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *  
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+package at.gv.egiz.eaaf.core.api.idp.auth.data;
+
+import java.io.IOException;
+import java.security.PublicKey;
+
+import javax.xml.transform.TransformerException;
+
+import org.w3c.dom.Element;
+
+/**
+ * @author tlenz
+ *
+ */
+public interface IIdentityLink {
+
+	/**
+	   * Returns the dateOfBirth.
+	   * @return Calendar
+	   */
+	String getDateOfBirth();
+
+	/**
+	   * Returns the familyName.
+	   * @return String
+	   */
+	String getFamilyName();
+
+	/**
+	   * Returns the givenName.
+	   * @return String
+	   */
+	String getGivenName();
+
+	/**
+	 * Return  the name as 'givenName + " " + familyName'<br>
+	 * This method should be used any more. Use getFamilyName() and getGivenName() separately.
+	 * 
+	 * @return The name.
+	*/
+	@Deprecated
+	String getName();
+
+	/**
+	   * Returns the identificationValue.
+		 * <code>"identificationValue"</code> is the translation of <code>"Stammzahl"</code>.
+	   * @return String
+	   */
+	String getIdentificationValue();
+
+	/**
+	 * Returns the identificationType.
+	 * <code>"identificationType"</code> type of the identificationValue in the IdentityLink.
+	 * @return String
+	 */
+	String getIdentificationType();
+
+	/**
+	   * Sets the dateOfBirth.
+	   * @param dateOfBirth The dateOfBirth to set
+	   */
+	void setDateOfBirth(String dateOfBirth);
+
+	/**
+	   * Sets the familyName.
+	   * @param familyName The familyName to set
+	   */
+	void setFamilyName(String familyName);
+
+	/**
+	   * Sets the givenName.
+	   * @param givenName The givenName to set
+	   */
+	void setGivenName(String givenName);
+
+	/**
+	   * Sets the identificationValue.
+		 * <code>"identificationValue"</code> is the translation of <code>"Stammzahl"</code>.
+	   * @param identificationValue The identificationValue to set
+	   */
+	void setIdentificationValue(String identificationValue);
+
+	/**
+	 * Sets the Type of the identificationValue.
+	 * @param identificationType The type of identificationValue to set
+	 */
+	void setIdentificationType(String identificationType);
+
+	/**
+	   * Returns the samlAssertion.
+	   * @return Element
+	   */
+	Element getSamlAssertion();
+
+	/**
+	   * Returns the samlAssertion.
+	   * @return Element
+	   */
+	String getSerializedSamlAssertion();
+
+	/**
+	   * Sets the samlAssertion and the serializedSamlAssertion.
+	   * @param samlAssertion The samlAssertion to set
+	   */
+	void setSamlAssertion(Element samlAssertion) throws TransformerException, IOException;
+
+	/**
+	   * Returns the dsigReferenceTransforms.
+	   * @return Element[]
+	   */
+	Element[] getDsigReferenceTransforms();
+
+	/**
+	   * Sets the dsigReferenceTransforms.
+	   * @param dsigReferenceTransforms The dsigReferenceTransforms to set
+	   */
+	void setDsigReferenceTransforms(Element[] dsigReferenceTransforms);
+
+	/**
+	   * Returns the publicKey.
+	   * @return PublicKey[]
+	   */
+	PublicKey[] getPublicKey();
+
+	/**
+	   * Sets the publicKey.
+	   * @param publicKey The publicKey to set
+	   */
+	void setPublicKey(PublicKey[] publicKey);
+
+	/**
+	   * Returns the prPerson.
+	   * @return Element
+	   */
+	Element getPrPerson();
+
+	/**
+	   * Sets the prPerson.
+	   * @param prPerson The prPerson to set
+	   */
+	void setPrPerson(Element prPerson);
+
+	/**
+	   * Returns the issuing time of the identity link SAML assertion.
+	   *
+	   * @return The issuing time of the identity link SAML assertion.
+	   */
+	String getIssueInstant();
+
+	/**
+	   * Sets the issuing time of the identity link SAML assertion.
+	   *
+	   * @param issueInstant The issueInstant to set.
+	   */
+	void setIssueInstant(String issueInstant);
+
+}
\ No newline at end of file
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/modules/AuthModule.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/modules/AuthModule.java
new file mode 100644
index 00000000..16df7231
--- /dev/null
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/modules/AuthModule.java
@@ -0,0 +1,67 @@
+/*******************************************************************************
+ * Copyright 2017 Graz University of Technology
+ * EAAF-Core Components has been developed in a cooperation between EGIZ,  
+ * A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *  
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
+package at.gv.egiz.eaaf.core.api.idp.auth.modules;
+
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+
+/**
+ * Provides metadata of a certain module. Uses for module discovery and process selection.
+ */
+public interface AuthModule {
+
+	/**
+	 * Returns the priority of the module. The priority defines the order of the respective module within the chain of
+	 * discovered modules. Higher priorized modules are asked before lower priorized modules for a process that they can
+	 * handle.
+	 * <p/>
+	 * Internal default modules are priorized neutral ({@code 0}. Use a higher priority ({@code 1...Integer.MAX_VALUE})
+	 * in order to have your module(s) priorized or a lower priority ({@code Integer.MIN_VALUE...-1}) in order to put
+	 * your modules behind default modules.
+	 * 
+	 * @return the priority of the module.
+	 */
+	int getPriority();
+
+	/**
+	 * Selects a process (description), referenced by its unique id, which is able to perform authentication with the
+	 * given {@link ExecutionContext}. Returns {@code null} if no appropriate process (description) was available within
+	 * this module.
+	 * 
+	 * @param context
+	 *            an ExecutionContext for a process.
+	 * @return the process-ID of a process which is able to work with the given ExecutionContext, or {@code null}.
+	 */
+	String selectProcess(ExecutionContext context);
+
+	/**
+	 * Returns the an Array of {@link ProcessDefinition}s of the processes included in this module.
+	 * 
+	 * @return an array of resource uris of the processes included in this module.
+	 */
+	String[] getProcessDefinitions();
+
+}
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/services/IProtocolAuthenticationService.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/services/IProtocolAuthenticationService.java
new file mode 100644
index 00000000..de5eb036
--- /dev/null
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/idp/auth/services/IProtocolAuthenticationService.java
@@ -0,0 +1,89 @@
+/*******************************************************************************
+ * Copyright 2017 Graz University of Technology
+ * EAAF-Core Components has been developed in a cooperation between EGIZ,  
+ * A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *  
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egiz.eaaf.core.api.idp.auth.services;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.logging.IStatisticLogger;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+
+public interface IProtocolAuthenticationService {
+
+	public String PARAM_GUI_ERROMSG = "errorMsg";
+	public String PARAM_GUI_ERRORCODE = "errorCode";
+	public String PARAM_GUI_ERRORCODEPARAMS = "errorParams";
+	public String PARAM_GUI_ERRORSTACKTRACE = "stacktrace";
+	
+	
+	/**
+	 * Initialize an authentication process for this protocol request
+	 * 
+	 * @param httpReq HttpServletRequest	
+	 * @param httpResp HttpServletResponse
+	 * @param protocolRequest Authentication request which is actually in process
+	 * @throws IOException 
+	 * @throws EAAFException 
+	 */
+	void performAuthentication(HttpServletRequest req, HttpServletResponse resp, IRequest pendingReq)
+			throws IOException, EAAFException;
+
+	/**
+	 * Finalize the requested protocol operation
+	 * 
+	 * @param httpReq HttpServletRequest	
+	 * @param httpResp HttpServletResponse
+	 * @param protocolRequest Authentication request which is actually in process
+	 * @throws IOException If response can not be written into {@link HttpServletResponse}
+	 * @throws EAAFException If an internal error occur 
+	 */
+	void finalizeAuthentication(HttpServletRequest req, HttpServletResponse resp, IRequest pendingReq) throws EAAFException, IOException;
+
+	/**
+	 * @param throwable Exception that should be handled
+	 * @param req Current open http request as {@link HttpServletRequest}
+	 * @param resp Current open http response as {@link HttpServletResponse}
+	 * @param pendingReq Authentication request which is actually in process
+	 * @throws IOException If response can not be written into {@link HttpServletResponse}
+	 * @throws EAAFException If an internal error occur
+	 */
+	void buildProtocolSpecificErrorResponse(Throwable throwable, HttpServletRequest req, HttpServletResponse resp,
+			IRequest pendingReq) throws IOException, EAAFException;
+
+	/**
+	 * Handles all exceptions with no pending request.
+	 * Therefore, the error is written to the users browser
+	 * 
+	 * @param throwable Exception that should be handled
+	 * @param req Current open http request as {@link HttpServletRequest}
+	 * @param resp Current open http response as {@link HttpServletResponse}
+	 * @param writeExceptionToStatisticLog if <code>true</code>, the exception get logged into {@link IStatisticLogger}
+	 * @throws IOException If response can not be written into {@link HttpServletResponse}
+	 * @throws EAAFException If an internal error occure
+	 */
+	void handleErrorNoRedirect(Throwable throwable, HttpServletRequest req, HttpServletResponse resp, boolean writeExceptionToStatisticLog) throws IOException, EAAFException;
+
+}
\ No newline at end of file