<?xml version="1.0" encoding="UTF-8"?>
<FindBugsFilter>
    <Match>
      <!-- only redirects to internal addresses -->
      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/>
      <Method name="performRedirectToItself" />
      <Bug pattern="UNVALIDATED_REDIRECT" />
    </Match>
    <Match>
      <!-- only redirects to internal addresses -->
      <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/>
      <Method name="forwardToErrorHandler" />
      <Bug pattern="UNVALIDATED_REDIRECT" />
    </Match>
    <Match>
      <!-- the ErrorToken is only single-used as same as a CSRF token -->
      <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
      <Method name="errorHandling" />
      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
    </Match>
    <Match>
      <!-- the ErrorToken is only single-used as same as a CSRF token -->
      <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
      <Method name="errorRedirect" />
      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
    </Match>
    <Match>
      <!-- Only used to evaluate expressions from pre-compiled process-flows -->
      <OR>
        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/>
        <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/>
      </OR>
      <Bug pattern="SPEL_INJECTION" />
    </Match>
    <Match>
      <!-- URL will be only generated from configuration path-->
      <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/>
      <Bug pattern="PATH_TRAVERSAL_IN" />
    </Match>
    <Match>
      <!-- Logging of request parameters is allowed for this classes -->   
      <OR>
        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/>
        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
        <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/>
      </OR>
      <Bug pattern="CRLF_INJECTION_LOGS" />
    </Match>
</FindBugsFilter>