1 files changed, 27 insertions, 10 deletions

diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
index 96aa9c51..e8fb5b6b 100644
--- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
+++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
@@ -81,6 +81,7 @@ import lombok.extern.slf4j.Slf4j;
 public class AlternativeSearchTask extends AbstractAuthServletTask {
 
   private static final String MSG_PROP_25 = "module.eidasauth.matching.25";
+  private static final String MSG_PROP_26 = "module.eidasauth.matching.26";
   
   private final RegisterSearchService registerSearchService;
   private final ICcSpecificEidProcessingService eidPostProcessor;
@@ -107,11 +108,17 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
           MatchingTaskUtils.getIntermediateMatchingResult(pendingReq);
 
       //pre-validation of eIDAS data
-      preVerifyAlternativeEidasData(altEidasData, initialEidasData, intermediateMatchingState);
-
-      //perform register search operation based on alterantive eIDAS data
-      step11RegisterSearchWithPersonIdentifier(executionContext, altEidasData,
-          intermediateMatchingState, initialEidasData);
+      if (!preVerifyAlternativeEidasData(altEidasData, initialEidasData, 
+          intermediateMatchingState, executionContext)) {
+        executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true);
+        executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED, true); 
+        
+      } else {
+        //perform register search operation based on alterantive eIDAS data
+        step11RegisterSearchWithPersonIdentifier(executionContext, altEidasData,
+            intermediateMatchingState, initialEidasData);
+        
+      }
 
     } catch (WorkflowException e) {
       throw new TaskExecutionException(pendingReq, "Initial search failed", e);
@@ -131,10 +138,12 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
    * @param altEidasData eIDAS data from alternative authentication
    * @param initialEidasData eIDAS data from initial authentication
    * @param intermediateMatchingState Intermediate matching result
+   * @param executionContext Current execution context state
+   * @return <code>true</code> if the current state is valid, otherwise <code>false</code>
    * @throws WorkflowException In case of a validation error
    */
-  private void preVerifyAlternativeEidasData(SimpleEidasData altEidasData, SimpleEidasData initialEidasData,
-      RegisterStatusResults intermediateMatchingState) throws WorkflowException {
+  private boolean preVerifyAlternativeEidasData(SimpleEidasData altEidasData, SimpleEidasData initialEidasData,
+      RegisterStatusResults intermediateMatchingState, ExecutionContext executionContext) throws WorkflowException {
     if (initialEidasData == null) {
       throw new WorkflowException("step11", "No initial eIDAS authn data", true);
 
@@ -146,14 +155,22 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
     }
 
     if (!Objects.equals(altEidasData.getCitizenCountryCode(), initialEidasData.getCitizenCountryCode())) {
-      throw new WorkflowException("step11", "Country Code of alternative eIDAS authn not matching", true);
+      log.warn("CountryCode: {} from alternative eIDAS authentication DOES NOT match to initial countryCode: {}",
+          altEidasData.getCitizenCountryCode(), initialEidasData.getCitizenCountryCode());
+      executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED_REASON, MSG_PROP_26);
+      return false;
+
 
     }
 
     if (!altEidasData.equalsMds(initialEidasData)) {
-      throw new WorkflowException("step11", "MDS of alternative eIDAS authn does not match initial authn", true);
+      log.warn("MDS from alternative eIDAS authentication DOES NOT match to initial MDS");
+      executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED_REASON, MSG_PROP_26);
+      return false;
 
     }
+    
+    return true;
   }
 
   private void step11RegisterSearchWithPersonIdentifier(
@@ -229,7 +246,7 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
     MatchingTaskUtils.storeFinalMatchingResult(pendingReq, result);
 
     //remove intermediate matching-state
-    MatchingTaskUtils.storeIntermediateMatchingResult(pendingReq, null);
+    //MatchingTaskUtils.storeIntermediateMatchingResult(pendingReq, null);
 
   }