add EAAF module for authentication method based on Security-Layer 2.0 communication

2 files changed, 506 insertions, 0 deletions

diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualeIDRequestTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualeIDRequestTask.java
new file mode 100644
index 00000000..337002c5
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualeIDRequestTask.java
@@ -0,0 +1,221 @@
+package at.gv.egiz.eaaf.modules.auth.sl20.tasks;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.utils.URIBuilder;
+import org.apache.http.message.BasicNameValuePair;
+import org.jose4j.base64url.Base64Url;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.core.impl.utils.DataURLBuilder;
+import at.gv.egiz.eaaf.core.impl.utils.HttpClientFactory;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils;
+import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.EventCodes;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SLCommandoBuildException;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SLCommandoParserException;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.IJOSETools;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20HttpBindingUtils;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JSONBuilderUtils;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JSONExtractorUtils;
+
+public abstract class AbstractCreateQualeIDRequestTask extends AbstractAuthServletTask {
+	private static final Logger log = LoggerFactory.getLogger(AbstractCreateQualeIDRequestTask.class);
+	
+	@Autowired(required=true) private IJOSETools joseTools;
+	@Autowired(required=true) private IConfiguration basicConfig;
+	@Autowired(required=true) private HttpClientFactory httpClientFactory;
+	
+	@Override 
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+			
+			log.debug("Starting SL2.0 authentication process .... ");
+ 
+			revisionsLogger.logEvent(pendingReq, EventCodes.AUTHPROCESS_SL20_SELECTED, "sl20auth");
+			
+			try {
+				//get service-provider configuration
+				ISPConfiguration oaConfig = pendingReq.getServiceProviderConfiguration();
+				
+				//get basic configuration parameters
+				String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig, executionContext);				
+				if (StringUtils.isEmpty(vdaQualeIDUrl)) {
+					log.error("NO VDA URL for qualified eID (" + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ")");
+					throw new SL20Exception("sl20.03", new Object[]{"NO VDA URL for qualified eID"});
+					
+				}
+				
+				revisionsLogger.logEvent(pendingReq, EventCodes.AUTHPROCESS_SL20_ENDPOINT_URL, vdaQualeIDUrl);
+						
+				//create SL2.0 command for qualified eID
+				String signedQualeIDCommand = buildSignedQualifiedEIDCommand();
+						
+				//build request container
+				String qualeIDReqId = Random.nextProcessReferenceValue();
+				ObjectNode sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand);
+				
+				//build http POST request
+				HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build());								
+				List<NameValuePair> parameters = new ArrayList<NameValuePair>();;
+				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes())));
+				httpReq.setEntity(new UrlEncodedFormEntity(parameters ));				
+				
+				//build http GET request
+//				URIBuilder sl20ReqUri = new URIBuilder(vdaQualeIDUrl);
+//				sl20ReqUri.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes()));
+//				HttpGet httpReq = new HttpGet(sl20ReqUri.build());
+				
+				//set native client header
+				httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);
+
+				log.trace("Request VDA via SL20 with: " + Base64Url.encode(sl20Req.toString().getBytes()));
+				
+				//request VDA
+				HttpResponse httpResp = httpClientFactory.getHttpClient().execute(httpReq);
+								
+				//parse response
+				log.info("Receive response from VDA ... ");
+				JsonNode sl20Resp = SL20JSONExtractorUtils.getSL20ContainerFromResponse(httpResp);
+				VerificationResult respPayloadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20Resp, null, false);
+				
+				if (respPayloadContainer.isValidSigned() == null) {
+					log.debug("Receive unsigned payLoad from VDA");
+					
+				}
+				
+				JsonNode respPayload = respPayloadContainer.getPayload();
+				if (respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).asText()
+						.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT)) {
+					log.debug("Find 'redirect' command in VDA response ... ");									
+					JsonNode params = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_PARAMS, true);					
+					String redirectURL = SL20JSONExtractorUtils.getStringValue(params, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_URL, true);									
+					JsonNode command = SL20JSONExtractorUtils.getJSONObjectValue(params, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_COMMAND, false);
+					String signedCommand = SL20JSONExtractorUtils.getStringValue(params, SL20Constants.SL20_COMMAND_PARAM_GENERAL_REDIRECT_SIGNEDCOMMAND, false);					
+
+					//create forward SL2.0 command
+					ObjectNode sl20Forward = sl20Resp.deepCopy();					
+					SL20JSONBuilderUtils.addOnlyOnceOfTwo(sl20Forward, 
+							SL20Constants.SL20_PAYLOAD, SL20Constants.SL20_SIGNEDPAYLOAD, 
+							command.deepCopy(), signedCommand);
+										
+					//store pending request
+					pendingReq.setRawDataToTransaction(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, 
+							qualeIDReqId);
+					requestStoreage.storePendingRequest(pendingReq);
+
+					//forward SL2.0 command
+					//TODO: maybe add SL2ClientType Header from execution context
+					SL20HttpBindingUtils.writeIntoResponse(request, response, sl20Forward, redirectURL);
+													
+				} else if (respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).asText()
+						.equals(SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR)) { 
+					JsonNode result = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_RESULT, false);
+					if (result  == null)
+						result = SL20JSONExtractorUtils.getJSONObjectValue(respPayload, SL20Constants.SL20_COMMAND_CONTAINER_PARAMS, false);
+					
+					String errorCode = SL20JSONExtractorUtils.getStringValue(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORCODE, true);
+					String errorMsg = SL20JSONExtractorUtils.getStringValue(result, SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORMESSAGE, true);
+					
+					log.info("Receive SL2.0 error. Code:" + errorCode + " Msg:" + errorMsg);
+					throw new SL20Exception("sl20.08", new Object[]{errorCode, errorMsg});
+					
+				} else {
+					//TODO: update to add error handling
+					log.warn("Received an unrecognized command: " + respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).asText());
+					throw new SLCommandoParserException("Received an unrecognized command: \" + respPayload.get(SL20Constants.SL20_COMMAND_CONTAINER_NAME).getAsString()");
+				}
+				
+				
+			} catch (EAAFAuthenticationException  e) {
+				throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e);
+				
+			} catch (Exception e) {
+				log.warn("SL2.0 Authentication FAILED with a generic error.", e);
+				throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+				
+			} finally {				
+				TransactionIDUtils.removeTransactionId();
+				TransactionIDUtils.removeSessionId();
+				
+			}
+			
+	}
+			
+	/**
+	 * Create a implementation specific qualified eID SL2.0 command
+	 * @param oaConfig 
+	 * 
+	 * @return signed JWT token as serialized {@link String} 
+	 * @throws CertificateEncodingException 
+	 * @throws SLCommandoBuildException 
+	 * @throws SL20Exception 
+	 */
+	protected abstract String buildSignedQualifiedEIDCommand() throws CertificateEncodingException, SL20Exception;
+
+	
+	private String extractVDAURLForSpecificOA(ISPConfiguration oaConfig, ExecutionContext executionContext) {		
+		
+		//TODO: fully remove if not required any more
+		//String spSpecificVDAEndpoints = oaConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS);		
+		String spSpecificVDAEndpoints = null;
+		
+		Map<String, String> endPointMap = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
+		if (StringUtils.isNotEmpty(spSpecificVDAEndpoints)) {
+			endPointMap.putAll(KeyValueUtils.convertListToMap(
+							KeyValueUtils.getListOfCSVValues(
+								KeyValueUtils.normalizeCSVValueString(spSpecificVDAEndpoints))));
+			log.debug("Find OA specific SL2.0 endpoints. Updating endPoint list ... ");
+		
+		} 
+		
+		log.trace("Find #" + endPointMap.size() + " SL2.0 endpoints ... ");
+		
+		//selection based on request Header
+		String sl20VDATypeHeader = (String)  executionContext.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
+		if (StringUtils.isNotEmpty(sl20VDATypeHeader)) {
+			String vdaURL = endPointMap.get(sl20VDATypeHeader);
+			if (StringUtils.isNotEmpty(vdaURL))
+				return vdaURL.trim();
+			
+			else
+				log.info("Can NOT find VDA with Id: " + sl20VDATypeHeader + ". Use default VDA");
+						
+	}
+		
+		log.info("NO SP specific VDA endpoint found. Use default VDA");
+		return endPointMap.getOrDefault(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT,
+				Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT);
+		
+	}
+
+}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java
new file mode 100644
index 00000000..34a097bd
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java
@@ -0,0 +1,285 @@
+package at.gv.egiz.eaaf.modules.auth.sl20.tasks;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.http.entity.ContentType;
+import org.jose4j.base64url.Base64Url;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.core.impl.utils.DataURLBuilder;
+import at.gv.egiz.eaaf.core.impl.utils.StreamUtils;
+import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils;
+import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.EventCodes;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SLCommandoParserException;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.IJOSETools;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.JsonMapper;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JSONBuilderUtils;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JSONExtractorUtils;
+
+
+public abstract class AbstractReceiveQualeIDTask extends AbstractAuthServletTask {
+	private static final Logger log = LoggerFactory.getLogger(AbstractReceiveQualeIDTask.class);
+	
+	@Autowired(required=true) private IJOSETools joseTools;
+	
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {		
+		String sl20Result = null;
+		 
+		try {
+			log.debug("Receiving SL2.0 response process .... ");
+			JsonNode sl20ReqObj = null;			
+			try {
+				//get SL2.0 command or result from HTTP request
+				Map<String, String> reqParams = getParameters(request);
+				sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+				
+				if (StringUtils.isEmpty(sl20Result)) {
+					//Workaround for SIC Handy-Signature, because it sends result in InputStream
+					String isReqInput = StreamUtils.readStream(request.getInputStream(), "UTF-8");					
+					if (StringUtils.isNotEmpty(isReqInput)) {
+						log.info("Use SIC Handy-Signature work-around!");
+						sl20Result = isReqInput.substring("slcommand=".length());
+						
+					} else {					
+						log.info("NO SL2.0 commando or result FOUND.");
+						throw new SL20Exception("sl20.04", null);
+					}
+				
+				}
+
+				log.trace("Received SL2.0 result: " + sl20Result);				
+				revisionsLogger.logEvent(pendingReq, EventCodes.AUTHPROCESS_SL20_DATAURL_IP, request.getRemoteAddr());
+			
+				//parse SL2.0 command/result into JSON			
+				try {
+					sl20ReqObj = new JsonMapper().getMapper().readTree(Base64Url.decodeToUtf8String(sl20Result));
+				
+				} catch (JsonParseException  e) {
+					log.warn("SL2.0 command or result is NOT valid JSON.", e);
+					log.debug("SL2.0 msg: " + sl20Result);
+					throw new SL20Exception("sl20.02", new Object[]{"SL2.0 command or result is NOT valid JSON."}, e);
+				
+				}
+			
+				//validate reqId with inResponseTo 
+				String sl20ReqId = pendingReq.getRawData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class);
+				String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true);
+				if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) {
+					log.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+					throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+				}
+			
+			
+				//validate signature
+				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(
+						sl20ReqObj, joseTools, 
+						authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true));
+				
+				if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) {
+					if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) {
+						log.info("SL20 result from VDA was not valid signed");
+						throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+				
+					} else {
+						log.warn("SL20 result from VDA is NOT valid signed, but signatures-verification is DISABLED by configuration!");
+						
+					}
+				}
+				
+				/*TODO validate certificate by using MOA-SPSS
+				* currently, the certificate is validated in IJOSETools by using a pkcs12 or jks keystore
+				*/
+				List<X509Certificate> sigCertChain = payLoadContainer.getCertChain();
+			
+			
+				//extract payloaf
+				JsonNode payLoad = payLoadContainer.getPayload();
+			
+				
+				//handle SL2.0 response payLoad
+				handleResponsePayLoad(payLoad);
+								
+				
+			} catch (EAAFAuthenticationException  e) {
+				log.warn("SL2.0 processing error:", e);
+				if (sl20Result != null)
+					log.debug("Received SL2.0 result: " + sl20Result);
+				pendingReq.setRawDataToTransaction(
+						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
+						new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e));
+				
+			} catch (Exception e) {
+				log.warn("ERROR:", e);
+				log.warn("SL2.0 Authentication FAILED with a generic error.", e);
+				if (sl20Result != null)
+					log.debug("Received SL2.0 result: " + sl20Result);
+				pendingReq.setRawDataToTransaction(
+						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
+						new TaskExecutionException(pendingReq, e.getMessage(), e));
+				
+			} finally {
+				//store pending request
+				requestStoreage.storePendingRequest(pendingReq);
+								
+					//write SL2.0 response
+					if (sl20ReqObj != null)				
+						buildResponse(request, response, sl20ReqObj);
+					else 
+						buildErrorResponse(request, response, "2000", "General transport Binding error");					
+					
+			}
+		
+		} catch (Exception e) {
+			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding			
+			log.warn("Can NOT build SL2.0 response. Reason: " + e.getMessage(), e);
+			if (sl20Result != null)
+				log.debug("Received SL2.0 result: " + sl20Result);
+			try {
+				response.sendError(500, "Internal Server Error.");
+				
+			} catch (IOException e1) {
+				log.error("Can NOT send error message. SOMETHING IS REALY WRONG!", e);
+				
+			}	
+			
+		} finally {
+			TransactionIDUtils.removeTransactionId();
+			TransactionIDUtils.removeSessionId();
+			
+		}
+	}
+
+	protected abstract void handleResponsePayLoad(JsonNode payLoad) throws SLCommandoParserException, SL20Exception, EAAFStorageException;
+
+	protected abstract String getResumeEndPoint();
+	
+	private void buildErrorResponse(HttpServletRequest request, HttpServletResponse response, String errorCode, String errorMsg) throws Exception {				
+		ObjectNode error = SL20JSONBuilderUtils.createErrorCommandResult(errorCode, errorMsg);
+		ObjectNode respContainer = SL20JSONBuilderUtils.createGenericRequest(
+				UUID.randomUUID().toString(), 
+				null, 
+				error , 
+				null);
+			
+		log.debug("Client request containts 'native client' header ... ");	
+		log.trace("SL20 response to VDA: " + respContainer);
+		StringWriter writer = new StringWriter();
+		writer.write(respContainer.toString());						
+		final byte[] content = writer.toString().getBytes("UTF-8");
+		response.setStatus(HttpServletResponse.SC_OK);
+		response.setContentLength(content.length);
+		response.setContentType(ContentType.APPLICATION_JSON.toString());						
+		response.getOutputStream().write(content);
+				
+	}
+
+	private void buildResponse(HttpServletRequest request, HttpServletResponse response, JsonNode sl20ReqObj) throws IOException, SL20Exception {		
+				//create response 
+				Map<String, String> reqParameters = new HashMap<String, String>();
+				reqParameters.put(EAAFConstants.PARAM_HTTP_TARGET_PENDINGREQUESTID, pendingReq.getPendingRequestId());
+				ObjectNode callReqParams = SL20JSONBuilderUtils.createCallCommandParameters(
+						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), getResumeEndPoint(), null), 
+						SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET, 
+						false, 
+						reqParameters);
+				ObjectNode callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
+				
+				//build first redirect command for app
+				ObjectNode redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
+				generateICPRedirectURLForDebugging(), 
+				callCommand, null, true);
+				ObjectNode redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
+								
+				//build second redirect command for IDP
+				ObjectNode redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
+						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), getResumeEndPoint(), null), 
+						redirectOneCommand, null, true);
+				ObjectNode redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams);
+				
+				//build generic SL2.0 response container								
+				String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false);
+				ObjectNode respContainer = SL20JSONBuilderUtils.createGenericRequest(
+						UUID.randomUUID().toString(), 
+						transactionId, 
+						redirectTwoCommand, 
+						null); 
+				
+		//workaround for A-Trust
+				if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
+				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)
+					|| true) {					
+			log.debug("Client request containts 'native client' header ... ");
+			log.trace("SL20 response to VDA: " + respContainer);
+					StringWriter writer = new StringWriter();
+					writer.write(respContainer.toString());						
+					final byte[] content = writer.toString().getBytes("UTF-8");
+					response.setStatus(HttpServletResponse.SC_OK);
+					response.setContentLength(content.length);
+					response.setContentType(ContentType.APPLICATION_JSON.toString());						
+					response.getOutputStream().write(content);
+					
+					
+				} else {
+					log.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'");
+					throw new SL20Exception("sl20.06", 
+							new Object[] {"SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"});
+					
+				}
+			}
+
+	/**
+	 * Generates a IPC redirect URL that is configured on IDP side
+	 * 
+	 * @return IPC ReturnURL, or null if no URL is configured
+	 */
+	private String generateICPRedirectURLForDebugging() {
+		final String PATTERN_PENDING_REQ_ID = "#PENDINGREQID#";
+			
+		String ipcRedirectURLConfig = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_IPC_RETURN_URL);				
+		if (StringUtils.isNotEmpty(ipcRedirectURLConfig)) {			
+			if (ipcRedirectURLConfig.contains(PATTERN_PENDING_REQ_ID)) {
+				log.trace("Find 'pendingReqId' pattern in IPC redirect URL. Update url ... ");
+				ipcRedirectURLConfig = ipcRedirectURLConfig.replaceAll(
+						"#PENDINGREQID#", 
+						EAAFConstants.PARAM_HTTP_TARGET_PENDINGREQUESTID + "=" + pendingReq.getPendingRequestId());
+			
+			}
+			
+			return ipcRedirectURLConfig;
+		}
+	
+		return null;
+		
+	}
+	
+	
+}