MOA-ID version 1.1 (initial)

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@19 d688527b-c9ab-4aba-bd8d-4036d912da1d

9 files changed, 1829 insertions, 0 deletions

diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
new file mode 100644
index 000000000..f91222ac3
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -0,0 +1,678 @@
+package at.gv.egovernment.moa.id.config;
+
+import iaik.pki.pathvalidation.ChainingModes;
+import iaik.utils.RFC2253NameParser;
+import iaik.utils.RFC2253NameParserException;
+
+import java.io.ByteArrayInputStream;
+import java.math.BigInteger;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.w3c.dom.Attr;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+import org.w3c.dom.traversal.NodeIterator;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.config.proxy.OAConfiguration;
+import at.gv.egovernment.moa.id.config.proxy.OAProxyParameter;
+import at.gv.egovernment.moa.id.data.IssuerAndSerial;
+import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.BoolUtils;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.XPathUtils;
+
+/**
+ * A class that builds configuration data from a DOM based representation.
+ * 
+ * @author Patrick Peck
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class ConfigurationBuilder {
+
+  //
+  // XPath namespace prefix shortcuts
+  //
+  /** an XPATH-Expression */ 
+  private static final String CONF = Constants.MOA_ID_CONFIG_PREFIX + ":";
+  /** an XPATH-Expression */ 
+  private static final String DSIG = Constants.DSIG_PREFIX + ":";
+
+  //
+  // chaining mode constants appearing in the configuration file
+  //
+  /** an XPATH-Expression */ 
+  private static final String CM_CHAINING = "chaining";
+  /** an XPATH-Expression */ 
+  private static final String CM_PKIX = "pkix";
+  /** an XPATH-Expression */ 
+  private static final String DEFAULT_ENCODING = "UTF-8";
+
+  /**
+   * Default online application configuration file name
+   * (used when <code>/OnlineApplication/ProxyComponent@configFileURL</code> is <code>null</code>).
+   */
+  public static final String DEFAULT_OA_CONFIG_FILENAME = "MOAConfig.xml";
+
+  //
+  // XPath expressions to select certain parts of the configuration
+  //
+  /** an XPATH-Expression */ 
+  private static final String ROOT = "/" + CONF + "MOA-IDConfiguration/";
+  /** an XPATH-Expression */ 
+  private static final String ROOTOA = "/" + CONF + "Configuration/";
+  /** an XPATH-Expression */ 
+  private static final String AUTH_BKU_XPATH =
+    ROOT + CONF + "AuthComponent/" + CONF + "BKUSelection";
+  /** an XPATH-Expression */ 
+	private static final String AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH =
+    ROOT + CONF + "AuthComponent/" + CONF + "SecurityLayer/" + CONF + "TransformsInfo/@filename";
+  /** an XPATH-Expression */ 
+  private static final String AUTH_MOA_SP_XPATH =
+    ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP";
+  /** an XPATH-Expression */ 
+  private static final String AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH =
+      ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyIdentityLink/" + CONF + "TrustProfileID";
+  /** an XPATH-Expression */ 
+  private static final String AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH =
+        ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF + "TrustProfileID";
+  /** an XPATH-Expression */ 
+  private static final String AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH =
+   ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF  + "VerifyTransformsInfoProfileID";
+
+  /** an XPATH-Expression */ 
+ private static final String AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH =
+    ROOT + CONF + "AuthComponent/" + CONF + "IdentityLinkSigners/" + CONF + "X509SubjectName";
+  /** an XPATH-Expression */ 
+  private static final String PROXY_AUTH_XPATH =
+    ROOT + CONF + "ProxyComponent/" + CONF + "AuthComponent";
+
+  /** an XPATH-Expression */ 
+  private static final String OA_XPATH = ROOT + CONF + "OnlineApplication";
+  /** an XPATH-Expression */ 
+  private static final String OA_LOGIN_XPATH = ROOT + CONF + "OnlineApplication/@loginURL";
+  /** an XPATH-Expression */ 
+  private static final String OA_AUTH_COMPONENT_XPATH = CONF + "AuthComponent";
+  /** an XPATH-Expression */ 
+  private static final String OA_PROXY_COMPONENT_XPATH = CONF + "ProxyComponent";
+  /** an XPATH-Expression */ 
+  private static final String OA_PROXY_COMPONENT_ABSOLUTE_XPATH = ROOT + CONF + "OnlineApplication/" + CONF + "ProxyComponent";
+  /** an XPATH-Expression */ 
+  private static final String OA_PROXY_URL_XPATH = CONF + "ProxyComponent/@configFileURL";
+  /** an XPATH-Expression */ 
+  private static final String OA_PROXY_SESSION_TIMEOUT_XPATH = CONF + "ProxyComponent/@sessionTimeOut";
+  /** an XPATH-Expression */ 
+  private static final String OA_PROXY_LOGIN_PARA_XPATH = CONF + "ProxyComponent/@loginParameterResolverImpl";
+  /** an XPATH-Expression */ 
+  private static final String OA_PROXY_CONNECTION_BUILDER_XPATH = CONF + "ProxyComponent/@connectionBuilderImpl";
+  /** an XPATH-Expression */ 
+  private static final String CONNECTION_PARAMETER_URL_XPATH =
+    CONF + "ConnectionParameter/@URL";
+  /** an XPATH-Expression */ 
+  private static final String CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH =
+    CONF + "ConnectionParameter/" + CONF + "AcceptedServerCertificates";
+  /** an XPATH-Expression */ 
+  private static final String CONNECTION_PARAMETERN_KEYSTORE_XPATH =
+    CONF + "ConnectionParameter/" + CONF + "ClientKeyStore";
+  /** an XPATH-Expression */ 
+  private static final String CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH =
+    CONNECTION_PARAMETERN_KEYSTORE_XPATH + "/@password";
+  /** an XPATH-Expression */ 
+  private static final String GENERIC_CONFIGURATION_XPATH =
+    ROOT + CONF + "GenericConfiguration";
+  /** an XPATH-Expression */ 
+  private static final String OACONF_LOGIN_TYPE_XPATH =
+    ROOTOA + CONF + "LoginType";
+  /** an XPATH-Expression */ 
+  private static final String OACONF_PARAM_AUTH_PARAMETER_XPATH =
+    ROOTOA + CONF + "ParamAuth/" + CONF + "Parameter";
+  /** an XPATH-Expression */ 
+  private static final String OACONF_USER_ID_XPATH =
+    ROOTOA + CONF + "BasicAuth/" + CONF + "UserID";
+  /** an XPATH-Expression */ 
+  private static final String OACONF_PASSWORD_XPATH =
+    ROOTOA + CONF + "BasicAuth/" + CONF + "Password";
+  /** an XPATH-Expression */ 
+  private static final String OACONF_HEADER_AUTH_HEADER_XPATH =
+    ROOTOA + CONF + "HeaderAuth/" + CONF + "Header";
+  /** an XPATH-Expression */ 
+  private static final String CHAINING_MODES_XPATH =
+    ROOT + CONF + "ChainingModes";
+  /** an XPATH-Expression */ 
+  private static final String CHAINING_MODES_DEFAULT_XPATH =
+    CHAINING_MODES_XPATH + "/@systemDefaultMode";
+  /** an XPATH-Expression */ 
+  private static final String TRUST_ANCHOR_XPATH =
+    ROOT + CONF + "ChainingModes/" + CONF + "TrustAnchor";
+  /** an XPATH-Expression */ 
+  private static final String ISSUER_XPATH = DSIG + "X509IssuerName";
+  /** an XPATH-Expression */ 
+  private static final String SERIAL_XPATH = DSIG + "X509SerialNumber";
+  /** an XPATH-Expression */ 
+  private static final String TRUSTED_CA_CERTIFICATES_XPATH =
+    ROOT + CONF + "TrustedCACertificates";
+
+  /** The root element of the MOA-ID configuration */
+  private Element configElem;
+
+  /**
+   * Creates a new <code>MOAConfigurationProvider</code>.
+   * 
+   * @param configElem The root element of the MOA-ID configuration.
+   */
+  public ConfigurationBuilder(Element configElem) {
+    this.configElem = configElem;
+  }
+
+  /**
+   * Returns the root element of the MOA-ID configuration. 
+   * 
+   * @return The root element of the MOA-ID configuration.
+   */
+  public Element getConfigElem() {
+    return configElem;
+  }
+
+  /**
+   * Build a ConnectionParameter object containing all information
+   * of the moa-sp element in the authentication component 
+   * @return ConnectionParameter of the authentication component moa-sp element 
+   */
+  public ConnectionParameter buildAuthBKUConnectionParameter() {
+
+    Element authBKU = (Element) XPathUtils.selectSingleNode(getConfigElem(), AUTH_BKU_XPATH);
+    if (authBKU==null) return null;
+    return buildConnectionParameter(authBKU);
+  }
+
+  /**
+   * Method buildAuthBKUSelectionType.
+   * 
+   * Build a string with the configuration value of BKUSelectionAlternative
+   * 
+   * @return String
+   */
+  public String buildAuthBKUSelectionType() {
+
+   Element authBKU = (Element) XPathUtils.selectSingleNode(getConfigElem(), AUTH_BKU_XPATH);
+   if (authBKU==null) return null;   
+   return (authBKU).getAttribute("BKUSelectionAlternative");
+  }
+
+  /**
+   * Build a string array with all filenames leading
+   * to the Transforms Information for the Security Layer
+   * @return String[] of filenames to the Security Layer Transforms Information
+   */
+  public String[] buildTransformsInfoFileNames() {
+
+    List transformsInfoFileNames = new ArrayList();
+    NodeIterator tiIter =
+      XPathUtils.selectNodeIterator(
+        getConfigElem(),
+        AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH);
+    Attr tiElem;
+
+    while ((tiElem = (Attr) tiIter.nextNode()) != null) {
+
+      String tiFileName = tiElem.getNodeValue();
+      transformsInfoFileNames.add(tiFileName);
+    }
+    String[] result = new String[transformsInfoFileNames.size()];
+    transformsInfoFileNames.toArray(result);
+
+    return result;
+  }
+
+  /**
+   * Build a ConnectionParameter bean containing all information
+   * of the authentication component moa-sp element 
+   * @return ConnectionParameter of the authentication component moa-sp element 
+   */
+  public ConnectionParameter buildMoaSpConnectionParameter() {
+
+    Element connectionParameter = (Element) XPathUtils.selectSingleNode(getConfigElem(), AUTH_MOA_SP_XPATH);
+    if (connectionParameter==null) return null;
+    return buildConnectionParameter(connectionParameter);
+  }
+
+  /**
+   * Return a string with a url-reference to the VerifyIdentityLink trust 
+   * profile id within the moa-sp part of the authentication component
+   * @return String with a url-reference to the VerifyIdentityLink trust profile ID
+   */
+  public String getMoaSpIdentityLinkTrustProfileID() {
+    return XPathUtils.getElementValue(
+      getConfigElem(),
+      AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH,
+      "");
+  }
+  /**
+   * Return a string representation of an URL pointing to trusted CA Certificates 
+   * @return String representation of an URL pointing to trusted CA Certificates 
+   */
+  public String getTrustedCACertificates() {
+    return XPathUtils.getElementValue(
+      getConfigElem(),
+      TRUSTED_CA_CERTIFICATES_XPATH,null);
+  }
+  
+  /**
+   * Return a string with a url-reference to the VerifyAuthBlock trust 
+   * profile id within the moa-sp part of the authentication component
+   * @return String with a url-reference to the VerifyAuthBlock trust profile ID
+   */
+  public String getMoaSpAuthBlockTrustProfileID() {
+    return XPathUtils.getElementValue(
+      getConfigElem(),
+      AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH,
+      "");
+  }
+  /**
+   * Build a string array with references to all verify transform info 
+   * IDs within the moa-sp part of the authentication component
+   * @return A string array containing all urls to the 
+   * verify transform info IDs
+   */
+  public String[] buildMoaSpAuthBlockVerifyTransformsInfoIDs() {
+
+    List verifyTransformsInfoIDs = new ArrayList();
+    NodeIterator vtIter =
+      XPathUtils.selectNodeIterator(
+        getConfigElem(),
+        AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH);
+    Element vtElem;
+
+    while ((vtElem = (Element) vtIter.nextNode()) != null) {
+
+      String vtInfoIDs = DOMUtils.getText(vtElem);
+      verifyTransformsInfoIDs.add(vtInfoIDs);
+    }
+    String[] result = new String[verifyTransformsInfoIDs.size()];
+    verifyTransformsInfoIDs.toArray(result);
+
+    return result;
+  }
+
+  /**
+   * Return a string array containing all X509 Subject Names 
+   * of the Identity Link Signers
+   * @return String with a url-reference to the VerifyAuthBlock trust profile ID
+   */
+  public String[] getIdentityLink_X509SubjectNames() {
+
+    List x509SubjectNameList = new ArrayList();
+    NodeIterator x509Iter =
+      XPathUtils.selectNodeIterator(
+        getConfigElem(),
+        AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH);
+    Element x509Elem;
+
+    while ((x509Elem = (Element) x509Iter.nextNode()) != null) {
+
+      String vtInfoIDs = DOMUtils.getText(x509Elem);
+      x509SubjectNameList.add(vtInfoIDs);
+    }
+    String[] result = new String[x509SubjectNameList.size()];
+    x509SubjectNameList.toArray(result);
+
+    return result;
+  }
+
+  /**
+   * Build an array of the OnlineApplication Parameters containing information 
+   * about the authentication component
+   * @return An OAProxyParameter array containing beans
+   * with all relevant information for the authentication component of the online 
+   * application
+   */
+  public OAAuthParameter[] buildOnlineApplicationAuthParameters() {
+
+    List OA_set = new ArrayList();
+    NodeList OAIter = XPathUtils.selectNodeList(getConfigElem(), OA_XPATH);
+
+    for (int i = 0; i < OAIter.getLength(); i++) {
+      Element oAElem = (Element) OAIter.item(i);
+      Element authComponent =
+        (Element) XPathUtils.selectSingleNode(oAElem, OA_AUTH_COMPONENT_XPATH);
+
+      OAAuthParameter oap = new OAAuthParameter();
+      oap.setPublicURLPrefix(oAElem.getAttribute("publicURLPrefix"));
+      //Check if there is an Auth-Block to read from configuration
+      if (authComponent!=null)
+      {
+        oap.setProvideZMRZahl(BoolUtils.valueOf(authComponent.getAttribute("provideZMRZahl")));
+        oap.setProvideAuthBlock(BoolUtils.valueOf(authComponent.getAttribute("provideAUTHBlock")));
+        oap.setProvideIdentityLink(BoolUtils.valueOf(authComponent.getAttribute("provideIdentityLink")));
+      }
+      OA_set.add(oap);
+    }
+    OAAuthParameter[] result =
+      new OAAuthParameter[OA_set.size()];
+    OA_set.toArray(result);
+
+    return result;
+
+  }
+
+  /**
+   * Build a bean containing all information about the ProxyComponent
+   * @return The ConnectionParameter for the Proxy Component
+   */
+  public ConnectionParameter buildAuthComponentConnectionParameter() 
+  {
+
+    Element connectionParameter = (Element) XPathUtils.selectSingleNode(getConfigElem(), PROXY_AUTH_XPATH);
+    if (connectionParameter==null) return null;
+    return buildConnectionParameter(connectionParameter);
+
+  }
+  /**
+   * Method buildConnectionParameter: internal Method for creating a 
+   * ConnectionParameter object with all data found in the incoming element
+   * @param root: this Element contains the ConnectionParameter
+   * @return ConnectionParameter
+   */
+  protected ConnectionParameter buildConnectionParameter(Element root) 
+  {
+    ConnectionParameter result = new ConnectionParameter();
+    result.setAcceptedServerCertificates(
+      XPathUtils.getElementValue(root,CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH,null));
+    result.setUrl(
+      XPathUtils.getAttributeValue(root, CONNECTION_PARAMETER_URL_XPATH, ""));
+    result.setClientKeyStore(
+      XPathUtils.getElementValue(root,CONNECTION_PARAMETERN_KEYSTORE_XPATH,null));
+    result.setClientKeyStorePassword(
+    	XPathUtils.getAttributeValue(root,CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH,""));
+    
+    if ((result.getAcceptedServerCertificates()==null)
+        && (result.getUrl()=="")
+        && (result.getClientKeyStore()==null)
+        && (result.getClientKeyStorePassword()==""))
+        return null;
+    
+    return result;
+  }
+
+  /**
+   * Build an array of OnlineApplication Parameter Beans containing information 
+   * about the proxy component
+   * @return An OAProxyParameter array containing beans
+   * with all relevant information for the proxy component of the online 
+   * application
+   */
+  public OAProxyParameter[] buildOnlineApplicationProxyParameters() throws ConfigurationException{
+
+    List oA_list = new ArrayList();
+    NodeList OAIter = XPathUtils.selectNodeList(getConfigElem(), OA_XPATH);
+
+    for (int i = 0; i < OAIter.getLength(); i++) {
+      Element oAElem = (Element) OAIter.item(i);
+      OAProxyParameter oap = new OAProxyParameter();
+      
+      oap.setPublicURLPrefix(oAElem.getAttribute("publicURLPrefix"));
+      Element proxyComponentElem = (Element) XPathUtils.selectSingleNode(oAElem,OA_PROXY_COMPONENT_XPATH);        
+      if (proxyComponentElem != null) {
+        oap.setConfigFileURL(XPathUtils.getAttributeValue(oAElem, OA_PROXY_URL_XPATH, null));
+        // default session time out: 3600 sec = 1 h
+        oap.setSessionTimeOut(new Integer(XPathUtils.getAttributeValue(oAElem,OA_PROXY_SESSION_TIMEOUT_XPATH,"3600")).intValue());
+        oap.setLoginParameterResolverImpl(XPathUtils.getAttributeValue(oAElem, OA_PROXY_LOGIN_PARA_XPATH, null));
+        oap.setConnectionBuilderImpl(XPathUtils.getAttributeValue(oAElem,OA_PROXY_CONNECTION_BUILDER_XPATH, null));
+            
+        ConnectionParameter conPara = buildConnectionParameter(proxyComponentElem);
+        oap.setConnectionParameter(conPara);
+  
+        OAConfiguration oaConf = buildOAConfiguration(getOAConfigElement(oap));
+        oap.setOaConfiguration(oaConf);
+        
+        oA_list.add(oap);
+      }
+    }
+    OAProxyParameter[] result =
+      new OAProxyParameter[oA_list.size()];
+    oA_list.toArray(result);
+
+    return result;
+
+  }
+
+  /**
+   * Build the mapping of generic configuration properties.
+   * 
+   * @return a {@link Map} of generic configuration properties (a name to value
+   * mapping) from the configuration.
+   */
+  public Map buildGenericConfiguration() {
+
+    Map genericConfiguration = new HashMap();
+    NodeIterator gcIter =
+      XPathUtils.selectNodeIterator(
+        getConfigElem(),
+        GENERIC_CONFIGURATION_XPATH);
+    Element gcElem;
+
+    while ((gcElem = (Element) gcIter.nextNode()) != null) {
+      String gcName = gcElem.getAttribute("name");
+      String gcValue = gcElem.getAttribute("value");
+
+      genericConfiguration.put(gcName, gcValue);
+    }
+
+    return genericConfiguration;
+  }
+  /**
+   * Method buildOAConfiguration.
+   * 
+   * Build an {@link OAConfiguration} Object from the given configuration DOM element
+   * 
+   * @param root
+   * @return OAConfiguration
+   * @throws ConfigurationException
+   */
+  public OAConfiguration buildOAConfiguration(Element root) throws ConfigurationException{
+
+    OAConfiguration oaConfiguration = new OAConfiguration();
+
+    //The LoginType hast to be "stateless" or "stateful" to be valid
+    oaConfiguration.setLoginType(
+      XPathUtils.getElementValue(root, OACONF_LOGIN_TYPE_XPATH, null));
+      
+    //Try to build the Parameter Auth Parameters
+    NodeIterator paramAuthIter =
+      XPathUtils.selectNodeIterator(
+        root,
+        OACONF_PARAM_AUTH_PARAMETER_XPATH);
+    Element paramAuthElem;
+    HashMap paramAuthMap = new HashMap();
+    while ((paramAuthElem = (Element) paramAuthIter.nextNode()) != null) {
+      String name = XPathUtils.getAttributeValue(paramAuthElem, "@Name", null);
+      String value = XPathUtils.getAttributeValue(paramAuthElem, "@Value", null);
+      if (paramAuthMap.containsKey(name))
+        throw new ConfigurationException("config.06", new Object[]{"Doppelter Wert für Parameter per HeaderAuthentication"});
+      paramAuthMap.put(name, value);
+    }
+    oaConfiguration.setParamAuthMapping(paramAuthMap);
+    // Try to build the BasicAuthParameters
+    oaConfiguration.setBasicAuthUserIDMapping(
+      XPathUtils.getElementValue(root, OACONF_USER_ID_XPATH, null));
+    oaConfiguration.setBasicAuthPasswordMapping(
+      XPathUtils.getElementValue(root, OACONF_PASSWORD_XPATH, null));
+
+    //Try to build the Parameter Auth Parameters
+    NodeIterator headerAuthIter = XPathUtils.selectNodeIterator(root,OACONF_HEADER_AUTH_HEADER_XPATH);
+
+    Element headerAuthElem;
+    HashMap headerAuthMap = new HashMap();
+    while ((headerAuthElem = (Element) headerAuthIter.nextNode()) != null) {
+      String name =
+        XPathUtils.getAttributeValue(headerAuthElem, "@Name", null);
+      String value =
+        XPathUtils.getAttributeValue(headerAuthElem, "@Value", null);
+      // Contains Key (Neue Config-Exception: doppelte werte)
+      if (headerAuthMap.containsKey(name))
+        throw new ConfigurationException("config.06", new Object[]{"Doppelter Wert für Parameter per HeaderAuthentication"});
+      headerAuthMap.put(name, value);
+    }
+    oaConfiguration.setHeaderAuthMapping(headerAuthMap);
+
+    if (paramAuthMap.size() == 0) {
+      if (oaConfiguration.getBasicAuthUserIDMapping() == null) {
+        oaConfiguration.setAuthType(OAConfiguration.HEADER_AUTH);
+      }
+      else
+        oaConfiguration.setAuthType(OAConfiguration.BASIC_AUTH);
+    }
+    else
+      oaConfiguration.setAuthType(OAConfiguration.PARAM_AUTH);
+
+    return oaConfiguration;
+  }
+
+  /**
+   * Reads the configuration file of the online application, and creates a DOM tree from it.
+   * If <code>/OnlineApplication/ProxyComponent@configFileURL</code> is not given, 
+   * uses default configuration file location.
+   * 
+   * @param oap configuration data of online application, meant for use by MOA-ID-PROXY
+   * @return Element DOM tree root element
+   * @throws ConfigurationException on any exception thrown
+   */
+  private Element getOAConfigElement(OAProxyParameter oap) throws ConfigurationException
+  {  
+    try {
+      String configFileURL = oap.getConfigFileURL();
+      if (configFileURL == null) {
+        // use default config file URL, when config file URL is not given
+        configFileURL = oap.getConnectionParameter().getUrl();
+        if (configFileURL.charAt(configFileURL.length() - 1) != '/')
+          configFileURL += "/";
+        configFileURL += DEFAULT_OA_CONFIG_FILENAME;
+      }
+      Logger.info("Loading MOA-OA configuration " + configFileURL);
+      Element configElem = DOMUtils.parseXmlValidating(
+        new ByteArrayInputStream(FileUtils.readURL(configFileURL)));
+      return configElem;
+    }
+    catch (Throwable t) {
+      throw new ConfigurationException("config.03", new Object[] {"OAConfiguration"} , t);
+    }
+  }
+
+  /**
+   * Returns the default chaining mode from the configuration.
+   * 
+   * @return The default chaining mode.
+   */
+  public String getDefaultChainingMode() {
+    String defaultChaining =
+      XPathUtils.getAttributeValue(
+        getConfigElem(),
+        CHAINING_MODES_DEFAULT_XPATH,
+        CM_CHAINING);
+
+    return translateChainingMode(defaultChaining);
+
+  }
+  /**
+   * Build the chaining modes for all configured trust anchors.
+   * 
+   * @return The mapping from trust anchors to chaining modes.
+   */
+  public Map buildChainingModes() {
+    Map chainingModes = new HashMap();
+    NodeIterator trustIter =
+      XPathUtils.selectNodeIterator(getConfigElem(), TRUST_ANCHOR_XPATH);
+    Element trustAnchorElem;
+
+    while ((trustAnchorElem = (Element) trustIter.nextNode()) != null) {
+      IssuerAndSerial issuerAndSerial = buildIssuerAndSerial(trustAnchorElem);
+      String mode = trustAnchorElem.getAttribute("mode");
+
+      if (issuerAndSerial != null) {
+        chainingModes.put(issuerAndSerial, translateChainingMode(mode));
+      }
+    }
+
+    return chainingModes;
+  }
+  
+  /**
+   * Build an <code>IssuerAndSerial</code> from the DOM representation.
+   * 
+   * @param root The root element (being of type <code>dsig:
+   * X509IssuerSerialType</code>.
+   * @return The issuer and serial number contained in the <code>root</code>
+   * element or <code>null</code> if could not be built for any reason.
+   */
+  private IssuerAndSerial buildIssuerAndSerial(Element root) {
+    String issuer = XPathUtils.getElementValue(root, ISSUER_XPATH, null);
+    String serial = XPathUtils.getElementValue(root, SERIAL_XPATH, null);
+
+    if (issuer != null && serial != null) {
+      try {
+        RFC2253NameParser nameParser = new RFC2253NameParser(issuer);
+        Principal issuerDN = nameParser.parse();
+
+        return new IssuerAndSerial(issuerDN, new BigInteger(serial));
+      } catch (RFC2253NameParserException e) {
+        warn("config.09", new Object[] { issuer, serial }, e);
+        return null;
+      } catch (NumberFormatException e) {
+        warn("config.09", new Object[] { issuer, serial }, e);
+        return null;
+      }
+    }
+    return null;
+  }
+
+  /**
+   * Translate the chaining mode from the configuration file to one used in the
+   * IAIK MOA API.
+   * 
+   * @param chainingMode The chaining mode from the configuration.
+   * @return The chaining mode as provided by the <code>ChainingModes</code>
+   * interface.
+   * @see iaik.pki.pathvalidation.ChainingModes
+   */
+  private String translateChainingMode(String chainingMode) {
+    if (chainingMode.equals(CM_CHAINING)) {
+      return ChainingModes.CHAIN_MODE;
+    } else if (chainingMode.equals(CM_PKIX)) {
+      return ChainingModes.PKIX_MODE;
+    } else {
+      return ChainingModes.CHAIN_MODE;
+    }
+  }
+
+  /**
+   * Method warn.
+   * @param messageId to identify a country-specific message
+   * @param parameters for the logger
+   */
+  //
+  // various utility methods
+  //
+
+  private static void warn(String messageId, Object[] parameters) {
+    Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters));
+  }
+
+  /**
+   * Method warn.
+   * @param messageId to identify a country-specific message
+   * @param args for the logger
+   * @param t as throwabl
+   */
+  private static void warn(String messageId, Object[] args, Throwable t) {
+    Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, args), t);
+  }    
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationException.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationException.java
new file mode 100644
index 000000000..2ebec0398
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationException.java
@@ -0,0 +1,31 @@
+package at.gv.egovernment.moa.id.config;
+
+import at.gv.egovernment.moa.id.MOAIDException;
+
+/**
+ * Exception signalling an error in the configuration.
+ * 
+ * @author Patrick Peck
+ * @version $Id$
+ */
+public class ConfigurationException extends MOAIDException {
+
+  /**
+   * Create a <code>MOAConfigurationException</code>.
+   */
+  public ConfigurationException(String messageId, Object[] parameters) {
+    super(messageId, parameters);
+  }
+
+  /**
+   * Create a <code>MOAConfigurationException</code>.
+   */
+  public ConfigurationException(
+    String messageId,
+    Object[] parameters,
+    Throwable wrapped) {
+
+    super(messageId, parameters, wrapped);
+  }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationProvider.java
new file mode 100644
index 000000000..5d523ba62
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationProvider.java
@@ -0,0 +1,105 @@
+package at.gv.egovernment.moa.id.config;
+
+import java.math.BigInteger;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import at.gv.egovernment.moa.id.data.IssuerAndSerial;
+
+/**
+ * Base class for <code>AuthConfigurationProvider</code> and <code>ProxyConfigurationProvider</code>,
+ * providing functions common to both of them.
+ *
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class ConfigurationProvider {
+
+  /**
+   * Constructor
+   */
+  public ConfigurationProvider() {
+    super();
+  }
+
+  /** 
+   * The name of the system property which contains the file name of the 
+   * configuration file.
+   */
+  public static final String CONFIG_PROPERTY_NAME =
+    "moa.id.configuration";
+
+  /**
+   * The name of the generic configuration property giving the certstore directory path.
+   */
+  public static final String DIRECTORY_CERTSTORE_PARAMETER_PROPERTY =
+    "DirectoryCertStoreParameters.RootDir";
+
+  /**
+     * A <code>Map</code> which contains generic configuration information. Maps a
+     * configuration name (a <code>String</code>) to a configuration value (also a
+     * <code>String</code>).
+     */
+  protected Map genericConfiguration;
+
+  /** The default chaining mode. */
+  protected String defaultChainingMode;
+
+  /** 
+     * A <code>Map</code> which contains the <code>IssuerAndSerial</code> to
+     * chaining mode (a <code>String</code>) mapping.
+     */
+  protected Map chainingModes;
+
+  /**
+     * the URL for the trusted CA Certificates
+     */
+  protected String trustedCACertificates;
+
+  /**
+     * Returns the mapping of generic configuration properties.
+     * 
+     * @return The mapping of generic configuration properties (a name to value
+     * mapping) from the configuration.
+     */
+  public Map getGenericConfiguration() {
+    return genericConfiguration;
+  }
+
+  /**
+     * Returns the value of a parameter from the generic configuration section.
+     * 
+     * @return the parameter value; <code>null</code> if no such parameter
+     */
+  public String getGenericConfigurationParameter(String parameter) {
+  	if (! genericConfiguration.containsKey(parameter))
+  		return null;
+    return (String)genericConfiguration.get(parameter);
+  }
+
+  /**
+     * Return the chaining mode for a given trust anchor.
+     * 
+     * @param trustAnchor The trust anchor for which the chaining mode should be
+     * returned.
+     * @return The chaining mode for the given trust anchor. If the trust anchor
+     * has not been configured separately, the system default will be returned.
+     */
+  public String getChainingMode(X509Certificate trustAnchor) {
+    Principal issuer = trustAnchor.getIssuerDN();
+    BigInteger serial = trustAnchor.getSerialNumber();
+    IssuerAndSerial issuerAndSerial = new IssuerAndSerial(issuer, serial);
+  
+    String mode = (String) chainingModes.get(issuerAndSerial);
+    return mode != null ? mode : defaultChainingMode;
+  }
+
+  /**
+   * Returns the trustedCACertificates.
+   * @return String
+   */
+  public String getTrustedCACertificates() {
+    return trustedCACertificates;
+  }
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConnectionParameter.java b/id.server/src/at/gv/egovernment/moa/id/config/ConnectionParameter.java
new file mode 100644
index 000000000..30b09cfe0
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/ConnectionParameter.java
@@ -0,0 +1,106 @@
+package at.gv.egovernment.moa.id.config;
+
+/**
+ * This bean class is used to store data for various connectionParameter 
+ * within the MOA-ID configuration 
+ * 
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class ConnectionParameter {
+
+  /**
+   * Server URL
+   */
+  private String url;
+  /**
+   * File URL for a directory containing PKCS#12 server SSL certificates.
+   * From these certificates, a X509 trust store will be assembled for use
+   * by a JSSE <code>TrustManager</code>.
+   * This field will only be used in case of an HTTPS URL.
+   */
+  private String acceptedServerCertificates;
+  /**
+   * File URL of a X509 key store containing the private key to be used
+   * for an HTTPS connection when the server requires client authentication.
+   * This field will only be used in case of an HTTPS URL.
+   */
+  private String clientKeyStore;
+  /**
+   * Password protecting the client key store.
+   */
+  private String clientKeyStorePassword;  
+
+	/**
+	 * Checks whether the URL scheme is <code>"https"</code>.
+	 * @return true in case of an URL starting with <code>"https"</code>
+	 */
+	public boolean isHTTPSURL() {
+		return getUrl().indexOf("https") == 0;
+	}
+	  
+  /**
+   * Returns the url.
+   * @return String
+   */
+  public String getUrl() {
+    return url;
+  }
+
+  /**
+   * Returns the acceptedServerCertificates.
+   * @return String
+   */
+  public String getAcceptedServerCertificates() {
+    return acceptedServerCertificates;
+  }
+
+  /**
+   * Sets the acceptedServerCertificates.
+   * @param acceptedServerCertificates The acceptedServerCertificates to set
+   */
+  public void setAcceptedServerCertificates(String acceptedServerCertificates) {
+    this.acceptedServerCertificates = acceptedServerCertificates;
+  }
+
+  /**
+   * Sets the url.
+   * @param url The url to set
+   */
+  public void setUrl(String url) {
+    this.url = url;
+  }
+
+  /**
+   * Returns the clientKeyStore.
+   * @return String
+   */
+  public String getClientKeyStore() {
+    return clientKeyStore;
+  }
+
+  /**
+   * Returns the clientKeyStorePassword.
+   * @return String
+   */
+  public String getClientKeyStorePassword() {
+    return clientKeyStorePassword;
+  }
+
+  /**
+   * Sets the clientKeyStore.
+   * @param clientKeyStore The clientKeyStore to set
+   */
+  public void setClientKeyStore(String clientKeyStore) {
+    this.clientKeyStore = clientKeyStore;
+  }
+
+  /**
+   * Sets the clientKeyStorePassword.
+   * @param clientKeyStorePassword The clientKeyStorePassword to set
+   */
+  public void setClientKeyStorePassword(String clientKeyStorePassword) {
+    this.clientKeyStorePassword = clientKeyStorePassword;
+  }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
new file mode 100644
index 000000000..e3c869d53
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -0,0 +1,341 @@
+package at.gv.egovernment.moa.id.config.auth;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.config.ConfigurationBuilder;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.FileUtils;
+
+/**
+ * A class providing access to the Auth Part of the MOA-ID configuration data.
+ * 
+ * <p>Configuration data is read from an XML file, whose location is given by
+ * the <code>moa.id.configuration</code> system property.</p>
+ * <p>This class implements the Singleton pattern. The <code>reload()</code>
+ * method can be used to update the configuration data. Therefore, it is not
+ * guaranteed that consecutive calls to <code>getInstance()</code> will return
+ * the same <code>AuthConfigurationProvider</code> all the time. During the
+ * processing of a web service request, the current
+ * <code>TransactionContext</code> should be used to obtain the
+ * <code>AuthConfigurationProvider</code> local to that request.</p>
+ * 
+ * @author Patrick Peck
+ * @author Stefan Knirsch
+ * 
+ * @version $Id$
+ */
+public class AuthConfigurationProvider extends ConfigurationProvider {
+	
+  /**  DEFAULT_ENCODING is "UTF-8" */
+  private static final String DEFAULT_ENCODING="UTF-8";
+  /**
+   * The name of the generic configuration property giving the authentication session time out.
+   */
+  public static final String AUTH_SESSION_TIMEOUT_PROPERTY =
+    "AuthenticationSession.TimeOut";
+  /**
+   * The name of the generic configuration property giving the authentication data time out.
+   */
+  public static final String AUTH_DATA_TIMEOUT_PROPERTY =
+    "AuthenticationData.TimeOut";
+
+  /**
+   * BKUSelectionType HTMLComplete, according to schema type <code>BKUSelectionType</code>
+   */
+  public static final String BKU_SELECTION_TYPE_HTMLCOMPLETE = 
+    "HTMLComplete";
+    
+  /**
+   * BKUSelectionType HTMLSelect, according to schema type <code>BKUSelectionType</code>
+   */
+  public static final String BKU_SELECTION_TYPE_HTMLSELECT = 
+    "HTMLSelect";
+    
+  /** Singleton instance. <code>null</code>, if none has been created. */
+  private static AuthConfigurationProvider instance;
+
+  //
+  // configuration data
+  //
+
+  /**
+	 * configuration files containing transformations for rendering in the 
+	 * secure viewer of the security layer implementation;
+	 * multiple files can be given for different mime types
+	 */
+  private String[] transformsInfoFileNames;
+	/**
+	 * transformations for rendering in the secure viewer of the security layer implementation,
+	 * read from {@link transformsInfoFileNames};
+	 * multiple transformation can be given for different mime types
+	 */
+  private String[] transformsInfos;
+  /**
+   * parameters for connection to MOA SP component
+   */
+  private ConnectionParameter moaSpConnectionParameter;
+	/**
+	 * trust profile ID to be used for verifying the identity link signature via MOA ID SP
+	 */  
+  private String moaSpIdentityLinkTrustProfileID;
+	/**
+	 * trust profile ID to be used for verifying the AUTH block signature via MOA ID SP
+	 */  
+  private String moaSpAuthBlockTrustProfileID;
+	/**
+	 * transformations to be used for verifying the AUTH block signature via MOA ID SP
+	 */  
+  private String[] moaSpAuthBlockVerifyTransformsInfoIDs;
+  /**
+   * X509 SubjectNames which will be trusted
+   */
+  private String[] identityLinkX509SubjectNames;
+ 
+  /**
+   * configuration parameters for online applications
+   */
+  private OAAuthParameter[] onlineApplicationAuthParameters;
+  /**
+   * the Selection Type of the bku Selection Element
+   */
+  private String bKUSelectionType;
+  /**
+   * is the bku Selection Element present?
+   */
+  private boolean bKUSelectable;
+  /**
+   * the bku Selection Connection Parameters
+   */
+  private ConnectionParameter bKUConnectionParameter;
+ /**
+   * Return the single instance of configuration data.
+   * 
+   * @return AuthConfigurationProvider The current configuration data.
+   * @throws ConfigurationException 
+   */
+  public static synchronized AuthConfigurationProvider getInstance()
+    throws ConfigurationException {
+
+    if (instance == null) {
+      reload();
+    }
+    return instance;
+  }
+
+  /**
+   * Reload the configuration data and set it if successful.
+   * 
+   * @return AuthConfigurationProvider The loaded configuration data.
+   * @throws ConfigurationException Failure to load the configuration data.
+   */
+  public static synchronized AuthConfigurationProvider reload()
+    throws ConfigurationException {
+    String fileName = System.getProperty(ConfigurationProvider.CONFIG_PROPERTY_NAME);
+    if (fileName == null) {
+      throw new ConfigurationException("config.01", null);
+    }
+    Logger.info("Loading MOA-ID-AUTH configuration " + fileName);
+
+    instance = new AuthConfigurationProvider(fileName);
+    return instance;
+  }
+
+  /**
+   * Constructor for AuthConfigurationProvider.
+   * @param fileName
+   * @throws ConfigurationException
+   */
+  public AuthConfigurationProvider(String fileName)
+    throws ConfigurationException {
+
+    load(fileName);
+  }
+
+  /**
+   * Load the configuration data from XML file with the given name and build
+   * the internal data structures representing the MOA ID configuration.
+   * 
+   * @param fileName The name of the XML file to load.
+   * @throws ConfigurationException The MOA configuration could not be
+   * read/built.
+   */
+  private void load(String fileName) throws ConfigurationException {
+    InputStream stream = null;
+    Element configElem;
+    ConfigurationBuilder builder;
+
+    try {
+      // load the main config file
+      stream = new BufferedInputStream(new FileInputStream(fileName));
+      configElem = DOMUtils.parseXmlValidating(stream);
+    } catch (Throwable t) {
+      throw new ConfigurationException("config.03", null, t);
+    } 
+    finally {
+      try {
+        if (stream != null) {
+          stream.close();
+        }
+      } catch (IOException e) {
+      }
+    }
+		try {
+      // build the internal datastructures
+      builder = new ConfigurationBuilder(configElem);
+      bKUConnectionParameter = builder.buildAuthBKUConnectionParameter();
+      bKUSelectable = (bKUConnectionParameter!=null);
+      bKUSelectionType = builder.buildAuthBKUSelectionType();
+		  genericConfiguration = builder.buildGenericConfiguration();
+		  transformsInfoFileNames = builder.buildTransformsInfoFileNames();
+		  loadTransformsInfos();
+	    moaSpConnectionParameter = builder.buildMoaSpConnectionParameter();
+	    moaSpIdentityLinkTrustProfileID = builder.getMoaSpIdentityLinkTrustProfileID();
+	    moaSpAuthBlockTrustProfileID = builder.getMoaSpAuthBlockTrustProfileID();
+	    moaSpAuthBlockVerifyTransformsInfoIDs = builder.buildMoaSpAuthBlockVerifyTransformsInfoIDs();
+	    onlineApplicationAuthParameters  = builder.buildOnlineApplicationAuthParameters();
+      identityLinkX509SubjectNames =  builder.getIdentityLink_X509SubjectNames();
+      defaultChainingMode = builder.getDefaultChainingMode();
+      chainingModes = builder.buildChainingModes();  
+      trustedCACertificates = builder.getTrustedCACertificates();    } 
+    catch (Throwable t) {
+      throw new ConfigurationException("config.02", null, t);
+  	}
+  }
+
+  /**
+   * Loads the <code>transformsInfos</code> from files.
+   * @throws Exception on any exception thrown
+   */
+  private void loadTransformsInfos() throws Exception {
+	 	transformsInfos = new String[transformsInfoFileNames.length];
+  	for (int i = 0; i < transformsInfoFileNames.length; i++) {
+  		String fileURL = transformsInfoFileNames[i];
+			String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING);
+ 			transformsInfos[i] = transformsInfo;
+  	}
+  }
+  /**
+   * Return a string array with all filenames leading
+   * to the Transforms Information for the Security Layer
+   * @return String[] of filenames to the Security Layer Transforms Information
+   */
+  public String[] getTransformsInfoFileNames()  {
+  	return transformsInfoFileNames;
+  }
+  
+  /**
+   * Build an array of the OnlineApplication Parameters containing information 
+   * about the authentication component
+   * @return An OAProxyParameter array containing beans
+   * with all relevant information for theauthentication component of the online 
+   * application
+   */
+  public OAAuthParameter[] getOnlineApplicationParameters() {
+    return onlineApplicationAuthParameters;
+  }
+
+  /**
+   * Provides configuration information regarding the online application behind
+   * the given URL, relevant to the MOA-ID Auth component.
+   * 
+   * @param oaURL URL requested for an online application
+   * @return an <code>OAAuthParameter</code>, or <code>null</code>
+   * 					if none is applicable
+   */
+  public OAAuthParameter getOnlineApplicationParameter(String oaURL) {
+  	OAAuthParameter[] oaParams = getOnlineApplicationParameters();
+  	for (int i = 0; i < oaParams.length; i++) {
+  		OAAuthParameter oaParam = oaParams[i];
+  		if (oaURL.indexOf(oaParam.getPublicURLPrefix()) == 0)
+  			return oaParam;
+  	}
+    return null;
+  }
+
+  /**
+   * Return a string with a url-reference to the VerifyAuthBlock trust 
+   * profile id within the moa-sp part of the authentication component
+   * 
+   * @return String with a url-reference to the VerifyAuthBlock trust profile ID
+   */
+  public String getMoaSpAuthBlockTrustProfileID() {
+    return moaSpAuthBlockTrustProfileID;
+  }
+
+  /**
+   * Return a string array with references to all verify transform info 
+   * IDs within the moa-sp part of the authentication component
+   * @return A string array containing all urls to the 
+   * verify transform info IDs
+   */
+  public String[] getMoaSpAuthBlockVerifyTransformsInfoIDs() {
+    return moaSpAuthBlockVerifyTransformsInfoIDs;
+  }
+
+  /**
+   * Return a ConnectionParameter bean containing all information
+   * of the authentication component moa-sp element 
+   * @return ConnectionParameter of the authentication component moa-sp element 
+   */
+  public ConnectionParameter getMoaSpConnectionParameter() {
+    return moaSpConnectionParameter;
+  }
+
+  /**
+   * Return a string with a url-reference to the VerifyIdentityLink trust 
+   * profile id within the moa-sp part of the authentication component
+   * @return String with a url-reference to the VerifyIdentityLink trust profile ID
+   */
+  public String getMoaSpIdentityLinkTrustProfileID() {
+    return moaSpIdentityLinkTrustProfileID;
+  }
+  /**
+   * Returns the transformsInfos.
+   * @return String[]
+   */
+  public String[] getTransformsInfos() {
+    return transformsInfos;
+  }
+
+  /**
+   * Returns the identityLinkX509SubjectNames.
+   * @return String[]
+   */
+  public String[] getIdentityLinkX509SubjectNames() {
+    return identityLinkX509SubjectNames;
+  }
+
+  /**
+   * Returns the bKUConnectionParameter.
+   * @return ConnectionParameter
+   */
+  public ConnectionParameter getBKUConnectionParameter() {
+    return bKUConnectionParameter;
+  }
+
+  /**
+   * Returns the bKUSelectable.
+   * @return boolean
+   */
+  public boolean isBKUSelectable() {
+    return bKUSelectable;
+  }
+
+  /**
+   * Returns the bKUSelectionType.
+   * @return String
+   */
+  public String getBKUSelectionType() {
+    return bKUSelectionType;
+  }
+
+}
\ No newline at end of file
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
new file mode 100644
index 000000000..9ee1ec606
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -0,0 +1,93 @@
+package at.gv.egovernment.moa.id.config.auth;
+
+/**
+ * Configuration parameters belonging to an online application,
+ * to use with the MOA ID Auth component.
+ *
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class OAAuthParameter {
+
+	/**
+	 * public URL prefix of the online application
+	 */
+  private String publicURLPrefix;
+	/**
+	 * determines whether "ZMR-Zahl" is to be included in the authentication data
+	 */
+  private boolean provideZMRZahl;
+	/**
+	 * determines whether AUTH block is to be included in the authentication data
+	 */
+  private boolean provideAuthBlock;
+	/**
+	 * determines whether identity link is to be included in the authentication data
+	 */
+  private boolean provideIdentityLink;
+
+  /**
+   * Returns the provideAuthBlock.
+   * @return String
+   */
+  public boolean getProvideAuthBlock() {
+    return provideAuthBlock;
+  }
+
+  /**
+   * Returns the provideIdentityLink.
+   * @return String
+   */
+  public boolean getProvideIdentityLink() {
+    return provideIdentityLink;
+  }
+
+  /**
+   * Returns the provideZMRZahl.
+   * @return String
+   */
+  public boolean getProvideZMRZahl() {
+    return provideZMRZahl;
+  }
+
+  /**
+   * Returns the publicURLPrefix.
+   * @return String
+   */
+  public String getPublicURLPrefix() {
+    return publicURLPrefix;
+  }
+
+  /**
+   * Sets the provideAuthBlock.
+   * @param provideAuthBlock The provideAuthBlock to set
+   */
+  public void setProvideAuthBlock(boolean provideAuthBlock) {
+    this.provideAuthBlock = provideAuthBlock;
+  }
+
+  /**
+   * Sets the provideIdentityLink.
+   * @param provideIdentityLink The provideIdentityLink to set
+   */
+  public void setProvideIdentityLink(boolean provideIdentityLink) {
+    this.provideIdentityLink = provideIdentityLink;
+  }
+
+  /**
+   * Sets the provideZMRZahl.
+   * @param provideZMRZahl The provideZMRZahl to set
+   */
+  public void setProvideZMRZahl(boolean provideZMRZahl) {
+    this.provideZMRZahl = provideZMRZahl;
+  }
+
+  /**
+   * Sets the publicURLPrefix.
+   * @param publicURLPrefix The publicURLPrefix to set
+   */
+  public void setPublicURLPrefix(String publicURLPrefix) {
+    this.publicURLPrefix = publicURLPrefix;
+  }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java
new file mode 100644
index 000000000..c9a13fee5
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAConfiguration.java
@@ -0,0 +1,145 @@
+package at.gv.egovernment.moa.id.config.proxy;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Holds configuration data concerning an online application for use by the MOA-ID Proxy component.
+ * These include the login type (stateful or stateless), the HTTP authentication type,
+ * and information needed to add authentication parameters or headers for a URL connection 
+ * to the remote online application.
+ * @see <code>MOAIDConfiguration-1.1.xsd</code>, element <code>Configuration</code>
+ * 
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class OAConfiguration {
+
+  /** Constant for an login method */  
+  public static final String LOGINTYPE_STATEFUL = "stateful";
+  /** Constant for an login method */
+  public static final String LOGINTYPE_STATELESS = "stateless";
+  
+  /** Constant for an auth method */
+  public static final String BASIC_AUTH = "basic";
+  /** Constant for an auth method */
+  public static final String HEADER_AUTH = "header";
+  /** Constant for an auth method */
+  public static final String PARAM_AUTH = "param";
+  
+  /** login type: stateful or stateless */
+  String loginType;
+  /** authentication type: basic, header, or param */
+  String authType;
+  /** 
+   * mapping of parameter names to AuthenticationData field names
+   * in case of authentication type <code>"header-auth"</code>
+   */
+  Map paramAuthMapping;
+  /** 
+   * mapping of parameter names to AuthenticationData field names
+   * in case of authentication type <code>"param-auth"</code>
+   */
+  Map headerAuthMapping;
+  /** mapping for user ID to be used in case of authentication type <code>"basic-auth"</code> */
+  String basicAuthUserIDMapping;
+  /** mapping for password to be used in case of authentication type <code>"basic-auth"</code> */
+  String basicAuthPasswordMapping;
+  
+  /**
+   * Returns the basicAuthPasswordMapping.
+   * @return String
+   */
+  public String getBasicAuthPasswordMapping() {
+    return basicAuthPasswordMapping;
+  }
+  
+  /**
+   * Returns the basicAuthUserIDMapping.
+   * @return String
+   */
+  public String getBasicAuthUserIDMapping() {
+    return basicAuthUserIDMapping;
+  }
+  
+  /**
+   * Returns the headerAuthMapping.
+   * @return HashMap
+   */
+  public Map getHeaderAuthMapping() {
+    return headerAuthMapping;
+  }
+  
+  /**
+   * Returns the loginType.
+   * @return String
+   */
+  public String getLoginType() {
+    return loginType;
+  }
+  
+  /**
+   * Returns the paramAuthMapping.
+   * @return HashMap
+   */
+  public Map getParamAuthMapping() {
+    return paramAuthMapping;
+  }
+  
+  /**
+   * Sets the basicAuthPasswordMapping.
+   * @param basicAuthPasswordMapping The basicAuthPasswordMapping to set
+   */
+  public void setBasicAuthPasswordMapping(String basicAuthPassword) {
+    this.basicAuthPasswordMapping = basicAuthPassword;
+  }
+  
+  /**
+   * Sets the basicAuthUserIDMapping.
+   * @param basicAuthUserIDMapping The basicAuthUserIDMapping to set
+   */
+  public void setBasicAuthUserIDMapping(String basicAuthUserID) {
+    this.basicAuthUserIDMapping = basicAuthUserID;
+  }
+  
+  /**
+   * Sets the headerAuthMapping.
+   * @param headerAuthMapping The headerAuthMapping to set
+   */
+  public void setHeaderAuthMapping(HashMap headerAuth) {
+    this.headerAuthMapping = headerAuth;
+  }
+  
+  /**
+   * Sets the loginType.
+   * @param loginType The loginType to set
+   */
+  public void setLoginType(String loginType) {
+    this.loginType = loginType;
+  }
+  
+  /**
+   * Sets the paramAuthMapping.
+   * @param paramAuthMapping The paramAuthMapping to set
+   */
+  public void setParamAuthMapping(HashMap paramAuth) {
+    this.paramAuthMapping = paramAuth;
+  }
+  
+  /**
+   * Returns the authType.
+   * @return String
+   */
+  public String getAuthType() {
+    return authType;
+  }
+  
+  /**
+   * Sets the authType.
+   * @param authType The authType to set
+   */
+  public void setAuthType(String authLoginType) {
+    this.authType = authLoginType;
+  }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java
new file mode 100644
index 000000000..f08c60736
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/proxy/OAProxyParameter.java
@@ -0,0 +1,160 @@
+package at.gv.egovernment.moa.id.config.proxy;
+
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+
+/**
+ * Configuration parameters belonging to an online application,
+ * to use with the MOA ID Proxy component.
+ * 
+ * @author Stefan Knirsch
+ * @version $Id$
+ */
+public class OAProxyParameter {
+
+	/**
+	 * public URL prefix of the online application
+	 */
+  private String publicURLPrefix;
+  /**
+   * URL of online application configuration file;
+   * defaults to relative URL <code>/moaconfig.xml</code>
+   */
+  private String configFileURL;
+  /**
+   * implementation of {@link  at.gv.egovernment.moa.id.proxy.LoginParameterResolver} interface
+   * to be used for authenticating the online application;
+   * defaults to {@link  at.gv.egovernment.moa.id.proxy.DefaultLoginParameterResolver}
+   */
+  private String loginParameterResolverImpl;
+  /**
+   * implementation of {@link  at.gv.egovernment.moa.id.proxy.ConnectionBuilder} interface
+   * to be used for connecting to the online application;
+   * defaults to {@link  at.gv.egovernment.moa.id.proxy.DefaultConnectionBuilder}
+   */
+  private String connectionBuilderImpl;
+  /**
+   * session time out to be used in case of a stateless online application
+   */
+  private int sessionTimeOut;
+  /**
+   * parameters regarding the connection from the proxy to the online application
+   */
+  private ConnectionParameter connectionParameter;
+  /**
+   * parameters for logging into the online application
+   */
+  private OAConfiguration oaConfiguration;
+
+  /**
+   * Returns the configFileURL.
+   * @return String
+   */
+  public String getConfigFileURL() {
+    return configFileURL;
+  }
+
+  /**
+   * Returns the sessionTimeOut.
+   * @return int
+   */
+  public int getSessionTimeOut() {
+    return sessionTimeOut;
+  }
+
+  /**
+   * Returns the connectionParameter.
+   * @return ConnectionParameter
+   */
+  public ConnectionParameter getConnectionParameter() {
+    return connectionParameter;
+  }
+
+  /**
+   * Sets the configFileURL.
+   * @param configFileURL The configFileURL to set
+   */
+  public void setConfigFileURL(String oaProxyConfigFileURL) {
+    this.configFileURL = oaProxyConfigFileURL;
+  }
+
+  /**
+   * Sets the sessionTimeOut.
+   * @param sessionTimeOut The sessionTimeOut to set
+   */
+  public void setSessionTimeOut(int oaProxySessionTimeOut) {
+    this.sessionTimeOut = oaProxySessionTimeOut;
+  }
+
+  /**
+   * Sets the connectionParameter.
+   * @param connectionParameter The connectionParameter to set
+   */
+  public void setConnectionParameter(ConnectionParameter proxyConnectionParameter) {
+    this.connectionParameter = proxyConnectionParameter;
+  }
+
+  /**
+   * Returns the publicURLPrefix.
+   * @return String
+   */
+  public String getPublicURLPrefix() {
+    return publicURLPrefix;
+  }
+
+  /**
+   * Sets the publicURLPrefix.
+   * @param publicURLPrefix The publicURLPrefix to set
+   */
+  public void setPublicURLPrefix(String url) {
+    this.publicURLPrefix = url;
+  }
+
+  /**
+   * Returns the connectionBuilderImpl.
+   * @return String
+   */
+  public String getConnectionBuilderImpl() {
+    return connectionBuilderImpl;
+  }
+
+  /**
+   * Returns the loginParameterResolverImpl.
+   * @return String
+   */
+  public String getLoginParameterResolverImpl() {
+    return loginParameterResolverImpl;
+  }
+
+  /**
+   * Sets the connectionBuilderImpl.
+   * @param connectionBuilderImpl The connectionBuilderImpl to set
+   */
+  public void setConnectionBuilderImpl(String connectionBuilderImp) {
+    this.connectionBuilderImpl = connectionBuilderImp;
+  }
+
+  /**
+   * Sets the loginParameterResolverImpl.
+   * @param loginParameterResolverImpl The loginParameterResolverImpl to set
+   */
+  public void setLoginParameterResolverImpl(String loginParameterResolverImpl) {
+    this.loginParameterResolverImpl = loginParameterResolverImpl;
+  }
+
+  /**
+   * Returns the oaConfiguration.
+   * @return OAConfiguration
+   */
+  public OAConfiguration getOaConfiguration() {
+    return oaConfiguration;
+  }
+
+  /**
+   * Sets the oaConfiguration.
+   * @param oaConfiguration The oaConfiguration to set
+   */
+  public void setOaConfiguration(OAConfiguration oaConfiguration) {
+    this.oaConfiguration = oaConfiguration;
+  }
+
+}
diff --git a/id.server/src/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java b/id.server/src/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java
new file mode 100644
index 000000000..897d14da9
--- /dev/null
+++ b/id.server/src/at/gv/egovernment/moa/id/config/proxy/ProxyConfigurationProvider.java
@@ -0,0 +1,170 @@
+package at.gv.egovernment.moa.id.config.proxy;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.config.ConfigurationBuilder;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+/**
+ * A class providing access to the Proxy Part of the MOA-ID configuration data.
+ * 
+ * <p>Configuration data is read from an XML file, whose location is given by
+ * the <code>moa.id.configuration</code> system property.</p>
+ * <p>This class implements the Singleton pattern. The <code>reload()</code>
+ * method can be used to update the configuration data. Therefore, it is not
+ * guaranteed that consecutive calls to <code>getInstance()</code> will return
+ * the same <code>ProxyConfigurationProvider</code> all the time. During the
+ * processing of a web service request, the current
+ * <code>TransactionContext</code> should be used to obtain the
+ * <code>ProxyConfigurationProvider</code> local to that request.</p>
+ * 
+ * @author Stefan Knirsch
+ */
+public class ProxyConfigurationProvider extends ConfigurationProvider {
+
+  /** Singleton instance. <code>null</code>, if none has been created. */
+  private static ProxyConfigurationProvider instance;
+
+  //
+  // configuration data
+  //
+  /**
+   * connection parameters for connection to MOA ID Auth component
+   */
+  private ConnectionParameter authComponentConnectionParameter;
+  /**
+   * configuration parameters for online applications
+   */
+  private OAProxyParameter[] onlineApplicationProxyParameter;
+
+  /**
+   * Return the single instance of configuration data.
+   * 
+   * @return ProxyConfigurationProvider The current configuration data.
+   * @throws ConfigurationException 
+   */
+  public static synchronized ProxyConfigurationProvider getInstance()
+    throws ConfigurationException {
+
+    if (instance == null) {
+      reload();
+    }
+    return instance;
+  }
+
+  /**
+   * Reload the configuration data and set it if successful.
+   * 
+   * @return ProxyConfigurationProvider The loaded configuration data.
+   * @throws ConfigurationException Failure to load the configuration data.
+   */
+  public static synchronized ProxyConfigurationProvider reload()
+    throws ConfigurationException {
+    String fileName = System.getProperty(CONFIG_PROPERTY_NAME);
+    if (fileName == null) {
+      throw new ConfigurationException("config.01", null);
+    }
+    Logger.info("Loading MOA-ID-PROXY configuration " + fileName);
+
+    instance = new ProxyConfigurationProvider(fileName);
+    return instance;
+  }
+
+  /**
+   * Constructor for ProxyConfigurationProvider.
+   */
+  public ProxyConfigurationProvider(String fileName)
+    throws ConfigurationException {
+
+    load(fileName);
+  }
+
+  /**
+   * Load the configuration data from XML file with the given name and build
+   * the internal data structures representing the MOA configuration.
+   * 
+   * @param fileName The name of the XML file to load.
+   * @throws ConfigurationException The MOA configuration could not be
+   * read/built.
+   */
+  private void load(String fileName) throws ConfigurationException {
+    FileInputStream stream = null;
+    Element configElem;
+    ConfigurationBuilder builder;
+
+    try {
+      // load the main config file
+      stream = new FileInputStream(fileName);
+      configElem = DOMUtils.parseXmlValidating(stream);
+    } 
+    catch (Throwable t) {
+      throw new ConfigurationException("config.03", null, t);
+    } 
+    finally {
+      try {
+        if (stream != null) {
+          stream.close();
+        }
+      } 
+      catch (IOException e) {
+      }
+    }
+		try {
+      // build the internal datastructures
+      builder = new ConfigurationBuilder(configElem);
+      authComponentConnectionParameter = builder.buildAuthComponentConnectionParameter();
+      onlineApplicationProxyParameter = builder.buildOnlineApplicationProxyParameters();  
+      genericConfiguration = builder.buildGenericConfiguration();
+      defaultChainingMode = builder.getDefaultChainingMode();
+      chainingModes = builder.buildChainingModes();  
+      trustedCACertificates = builder.getTrustedCACertificates();
+    } 
+    catch (Throwable t) {
+      throw new ConfigurationException("config.02", null, t);
+    }
+  }
+
+ /**
+   * Return a bean containing all information about the ProxyComponent
+   * @return The ConnectionParameter for the Proxy Component
+   */
+  public ConnectionParameter getAuthComponentConnectionParameter() {
+    return authComponentConnectionParameter;
+  }
+  
+  /**
+   * Build an array of OnlineApplication Parameter Beans containing all
+   * information about the proxy component of the online application
+   * @return An OAProxyParameter array containing beans
+   * with all relevant information for the proxy component of the online 
+   * application
+   */
+  public OAProxyParameter[] getOnlineApplicationParameters() {
+    return onlineApplicationProxyParameter;
+  }
+  /**
+   * Provides configuration information regarding the online application behind
+   * the given URL, relevant to the MOA-ID Proxy component.
+   * 
+   * @param oaURL URL requested for an online application
+   * @return an <code>OAProxyParameter</code>, or <code>null</code>
+   * 					if none is applicable
+   */
+  public OAProxyParameter getOnlineApplicationParameter(String oaURL) {
+  	OAProxyParameter[] oaParams = getOnlineApplicationParameters();
+  	for (int i = 0; i < oaParams.length; i++) {
+  		OAProxyParameter oaParam = oaParams[i];
+  		if (oaURL.startsWith(oaParam.getPublicURLPrefix()))
+  			return oaParam;
+  	}
+    return null;
+  }
+
+}
\ No newline at end of file