ConfigWebTool Version 0.9.5

 --PVP2 Login
 --PVP2 Users to UserDatabase functionality
 --Mailaddress verification
 --Mail status messages to users and admin
 --add List with OpenRequests for admins
 --change OA Target configuration
 --add cleanUp Thread to remove old unused UserAccount requests
 --update UserDatabase to support PVP2 logins
 --add formID element validate received forms

 -- add first classes for STORK configuration

make some Bugfixes

5 files changed, 702 insertions, 5 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
index 8f75a357c..009a13f4b 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
@@ -2,14 +2,19 @@ package at.gv.egovernment.moa.id.configuration.auth;
 
 import java.util.Date;
 
+import at.gv.egovernment.moa.id.configuration.helper.DateTimeHelper;
+
 public class AuthenticatedUser {
 
 	private boolean isAuthenticated = false;
 	private boolean isAdmin = false;
+	private boolean isPVP2Login = false;
+	private boolean isMandateUser = false;
 	
 	private long userID;
 	private String givenName;
 	private String familyName;
+	private String institute;
 	private String userName;
 	private Date lastLogin;
 
@@ -17,18 +22,26 @@ public class AuthenticatedUser {
 		
 	}
 	
-	public AuthenticatedUser(long userID, String givenName, String familyName, String userName,
-			boolean isAuthenticated, boolean isAdmin) {
+	public AuthenticatedUser(long userID, String givenName, String familyName, String institute, 
+			String userName, boolean isAuthenticated, boolean isAdmin, boolean isMandateUser, 
+			boolean isPVP2Login) {
 		
 		this.familyName = familyName;
 		this.givenName = givenName;
 		this.userName = userName;
 		this.userID = userID;
+		this.institute = institute;
 		this.isAdmin = isAdmin;
 		this.isAuthenticated = isAuthenticated;
+		this.isMandateUser = isMandateUser;
+		this.isPVP2Login = isPVP2Login;
 		this.lastLogin = new Date();
 	}
 
+	public String getFormatedLastLogin() {
+		return DateTimeHelper.getDateTime(lastLogin);
+	}
+	
 	/**
 	 * @return the isAuthenticated
 	 */
@@ -105,7 +118,7 @@ public class AuthenticatedUser {
 	public Date getLastLogin() {
 		return lastLogin;
 	}
-
+	
 	/**
 	 * @param lastLogin the lastLogin to set
 	 */
@@ -126,8 +139,49 @@ public class AuthenticatedUser {
 	public void setUserName(String userName) {
 		this.userName = userName;
 	}
+
+	/**
+	 * @return the institute
+	 */
+	public String getInstitute() {
+		return institute;
+	}
+
+	/**
+	 * @param institute the institute to set
+	 */
+	public void setInstitute(String institute) {
+		this.institute = institute;
+	}
+
+	/**
+	 * @return the isPVP2Login
+	 */
+	public boolean isPVP2Login() {
+		return isPVP2Login;
+	}
+
+	/**
+	 * @param isPVP2Login the isPVP2Login to set
+	 */
+	public void setPVP2Login(boolean isPVP2Login) {
+		this.isPVP2Login = isPVP2Login;
+	}
+
+	/**
+	 * @return the isMandateUser
+	 */
+	public boolean isMandateUser() {
+		return isMandateUser;
+	}
+
+	/**
+	 * @param isMandateUser the isMandateUser to set
+	 */
+	public void setMandateUser(boolean isMandateUser) {
+		this.isMandateUser = isMandateUser;
+	}
 	
 	
-	
-	
+
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/AttributeListBuilder.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/AttributeListBuilder.java
new file mode 100644
index 000000000..199e89d7c
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/AttributeListBuilder.java
@@ -0,0 +1,50 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+
+import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+
+public class AttributeListBuilder implements PVPConstants{
+
+	protected static RequestedAttribute buildReqAttribute(String name, String friendlyName, boolean required) {
+		RequestedAttribute attribute = SAML2Utils.createSAMLObject(RequestedAttribute.class);
+		attribute.setIsRequired(required);
+		attribute.setName(name);
+		attribute.setFriendlyName(friendlyName);
+		attribute.setNameFormat(Attribute.URI_REFERENCE);
+		return attribute;
+	}
+	
+	public static List<RequestedAttribute> getRequestedAttributes() {
+		List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+		
+		requestedAttributes.add(buildReqAttribute(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(GIVEN_NAME_NAME, GIVEN_NAME_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(BIRTHDATE_NAME, BIRTHDATE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(BPK_NAME, BPK_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(EID_CITIZEN_QAA_LEVEL_NAME, EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(EID_ISSUING_NATION_NAME, EID_ISSUING_NATION_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(EID_SECTOR_FOR_IDENTIFIER_NAME, EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, true));
+		
+		requestedAttributes.add(buildReqAttribute(MANDATE_TYPE_NAME, MANDATE_TYPE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_LEG_PER_FULL_NAME_NAME, MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_LEG_PER_SOURCE_PIN_NAME, MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false));
+		
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_BIRTHDATE_NAME, MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_BPK_NAME, MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_FAMILY_NAME_NAME, MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_GIVEN_NAME_NAME, MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false));
+		
+		requestedAttributes.add(buildReqAttribute(MANDATE_REFERENCE_VALUE_NAME, MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_PROF_REP_OID_NAME, MANDATE_PROF_REP_OID_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_PROF_REP_DESC_NAME, MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false));
+		return requestedAttributes;
+	}
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
new file mode 100644
index 000000000..ed496ae16
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
@@ -0,0 +1,245 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
+import org.joda.time.DateTime;
+import org.opensaml.Configuration;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCredentialResolverFactory;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.credential.BasicCredential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.iaik.commons.util.ConfigException;
+
+
+/**
+ * Servlet implementation class Authenticate
+ */
+public class Authenticate extends HttpServlet {
+	private static final long serialVersionUID = 1L;
+
+	private static final Logger log = LoggerFactory
+			.getLogger(Authenticate.class);	
+	/**
+	 * @see HttpServlet#HttpServlet()
+	 */
+	public Authenticate() {
+		super();
+		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		factory.setNamespaceAware(true);
+		try {
+			builder = factory.newDocumentBuilder();
+		} catch (ParserConfigurationException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	DocumentBuilder builder;
+
+	public Document asDOMDocument(XMLObject object) throws IOException,
+			MarshallingException, TransformerException {
+		Document document = builder.newDocument();
+		Marshaller out = Configuration.getMarshallerFactory().getMarshaller(
+				object);
+		out.marshall(object, document);
+		return document;
+	}
+
+	protected void process(HttpServletRequest request,
+			HttpServletResponse response, Map<String,String> legacyParameter) throws ServletException, IOException {
+		try {
+			
+			ConfigurationProvider config = ConfigurationProvider.getInstance();
+			config.initializePVP2Login();
+			
+			AuthnRequest authReq = SAML2Utils
+					.createSAMLObject(AuthnRequest.class);
+			SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+			authReq.setID(gen.generateIdentifier());
+			
+			HttpSession session = request.getSession();
+			if (session != null) {
+				session.setAttribute(Constants.SESSION_PVP2REQUESTID, authReq.getID());
+			}
+			
+			authReq.setAssertionConsumerServiceIndex(0);
+			authReq.setAttributeConsumingServiceIndex(0);
+			authReq.setIssueInstant(new DateTime());
+			Subject subject = SAML2Utils.createSAMLObject(Subject.class);
+			NameID name = SAML2Utils.createSAMLObject(NameID.class);
+			Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+			
+			String serviceURL = config.getPublicUrlPreFix(request);
+			if (!serviceURL.endsWith("/"))
+				serviceURL = serviceURL + "/";
+			name.setValue(serviceURL);
+			issuer.setValue(serviceURL);
+
+			subject.setNameID(name);
+			authReq.setSubject(subject);
+			issuer.setFormat(NameIDType.ENTITY);
+			authReq.setIssuer(issuer);
+			NameIDPolicy policy = SAML2Utils
+					.createSAMLObject(NameIDPolicy.class);
+			policy.setAllowCreate(true);
+			policy.setFormat(NameID.PERSISTENT);
+			authReq.setNameIDPolicy(policy);
+			
+			String entityname = config.getPVP2IDPMetadataEntityName();
+			if (MiscUtil.isEmpty(entityname)) {
+				log.info("No IDP EntityName configurated");
+				throw new ConfigurationException("No IDP EntityName configurated");
+			}
+			
+			HTTPMetadataProvider idpmetadata = config.getMetaDataProvier();
+			EntityDescriptor idpEntity = idpmetadata.getEntityDescriptor(entityname);
+			if (idpEntity == null) {
+				log.info("IDP EntityName is not found in IDP Metadata");
+				throw new ConfigurationException("IDP EntityName is not found in IDP Metadata");
+			}
+			
+			SingleSignOnService redirectEndpoint = null;  
+			for (SingleSignOnService sss : 
+					idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
+				
+				if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { //Get the service address for the binding you wish to use  
+					redirectEndpoint = sss;  
+				}  
+			}
+						
+			authReq.setDestination(redirectEndpoint.getLocation());
+			
+			RequestedAuthnContext reqAuthContext = 
+					SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
+			
+			AuthnContextClassRef authnClassRef = 
+					SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+			
+			authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+
+			reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+			
+			reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
+			
+			authReq.setRequestedAuthnContext(reqAuthContext);
+			
+			KeyStore keyStore = config.getPVP2KeyStore();
+
+			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreAuthRequestKeyAlias(), 
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
+
+			Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
+			signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+			signer.setSigningCredential(authcredential);
+
+			authReq.setSignature(signer);
+
+			VelocityEngine engine = new VelocityEngine();
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+			engine.setProperty("classpath.resource.loader.class",
+					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+			engine.init();
+
+			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+					"templates/pvp_postbinding_template.html");
+			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+					response, true);
+			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			SingleSignOnService service = new SingleSignOnServiceBuilder()
+					.buildObject();
+			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+			service.setLocation(redirectEndpoint.getLocation());;
+			
+			context.setOutboundSAMLMessageSigningCredential(authcredential);
+			context.setPeerEntityEndpoint(service);
+			context.setOutboundSAMLMessage(authReq);
+			context.setOutboundMessageTransport(responseAdapter);
+
+			encoder.encode(context);
+
+		} catch (Exception e) {
+			log.warn("Authentication Request can not be generated", e);
+			throw new ServletException("Authentication Request can not be generated.", e);
+		}
+	}
+
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+				
+		process(request, response, null);
+	}
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		process(request, response, null);
+	}
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
new file mode 100644
index 000000000..fa02443dc
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
@@ -0,0 +1,288 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.apache.log4j.Logger;
+import org.opensaml.Configuration;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.ServiceName;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.SignatureException;
+import org.opensaml.xml.signature.Signer;
+import org.w3c.dom.Document;
+
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * Servlet implementation class BuildMetadata
+ */
+public class BuildMetadata extends HttpServlet {
+	private static final long serialVersionUID = 1L;
+	
+	private static final Logger log = Logger.getLogger(BuildMetadata.class);
+
+	/**
+	 * @see HttpServlet#HttpServlet()
+	 */
+	public BuildMetadata() {
+		super();
+	}
+
+	protected static Signature getSignature(Credential credentials) {
+		Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+		signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+		signer.setSigningCredential(credentials);
+		return signer;
+	}
+	
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		try {
+			ConfigurationProvider config = ConfigurationProvider.getInstance();
+			
+			//config.initializePVP2Login();
+			
+			SecureRandomIdentifierGenerator idGen = new SecureRandomIdentifierGenerator();
+			
+			EntitiesDescriptor spEntitiesDescriptor = SAML2Utils.
+					createSAMLObject(EntitiesDescriptor.class);
+			
+			String name = config.getPVP2MetadataEntitiesName();
+			if (MiscUtil.isEmpty(name)) {
+				log.info("NO Metadata EntitiesName configurated");
+				throw new ConfigurationException("NO Metadata EntitiesName configurated");
+			}
+			
+			spEntitiesDescriptor.setName(name);
+			spEntitiesDescriptor.setID(idGen.generateIdentifier());
+			
+			EntityDescriptor spEntityDescriptor = SAML2Utils
+					.createSAMLObject(EntityDescriptor.class);
+
+			spEntitiesDescriptor.getEntityDescriptors().add(spEntityDescriptor);
+			
+			String serviceURL = config.getPublicUrlPreFix(request);
+			if (!serviceURL.endsWith("/"))
+				serviceURL = serviceURL + "/";
+			
+			log.debug("Set OnlineApplicationURL to " + serviceURL);
+			spEntityDescriptor.setEntityID(serviceURL);
+
+			SPSSODescriptor spSSODescriptor = SAML2Utils
+					.createSAMLObject(SPSSODescriptor.class);
+
+			spSSODescriptor.setAuthnRequestsSigned(true);
+			spSSODescriptor.setWantAssertionsSigned(true);
+
+			X509KeyInfoGeneratorFactory keyInfoFactory = new X509KeyInfoGeneratorFactory();
+			keyInfoFactory.setEmitEntityCertificate(true);
+			KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
+			
+			KeyStore keyStore = config.getPVP2KeyStore();
+
+			X509Credential signingcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreMetadataKeyAlias(), 
+					config.getPVP2KeystoreMetadataKeyPassword().toCharArray());
+
+			
+			log.debug("Set Metadata key information");
+			//Set MetaData Signing key
+			KeyDescriptor entitiesSignKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			entitiesSignKeyDescriptor.setUse(UsageType.SIGNING);
+			entitiesSignKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingcredential));
+			Signature entitiesSignature = getSignature(signingcredential);
+			
+			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreAuthRequestKeyAlias(), 
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
+			
+			
+			//Set AuthRequest Signing certificate
+			KeyDescriptor signKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			signKeyDescriptor.setUse(UsageType.SIGNING);
+			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	
+			spEntitiesDescriptor.setSignature(entitiesSignature);
+			spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+			
+			NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			persistentnameIDFormat.setFormat(NameIDType.PERSISTENT);
+			
+			spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat);
+			
+			NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			transientnameIDFormat.setFormat(NameIDType.TRANSIENT);
+			
+			spSSODescriptor.getNameIDFormats().add(transientnameIDFormat);
+			
+			NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED);
+			
+			spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat);
+						
+			AssertionConsumerService postassertionConsumerService = 
+					SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+			
+			postassertionConsumerService.setIndex(0);
+			postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+			postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);
+			
+			spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
+			
+			spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+			
+			spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+			
+			spSSODescriptor.setWantAssertionsSigned(true);
+			spSSODescriptor.setAuthnRequestsSigned(true);
+			AttributeConsumingService attributeService = 
+					SAML2Utils.createSAMLObject(AttributeConsumingService.class);
+			
+			attributeService.setIndex(0);
+			attributeService.setIsDefault(true);
+			ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
+			serviceName.setName(new LocalizedString("Default Service", "de"));
+			attributeService.getNames().add(serviceName);
+			
+			attributeService.getRequestAttributes().addAll(AttributeListBuilder.getRequestedAttributes());
+			
+			spSSODescriptor.getAttributeConsumingServices().add(attributeService);
+
+			DocumentBuilder builder;
+			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+			
+			builder = factory.newDocumentBuilder();
+			Document document = builder.newDocument();
+			Marshaller out = Configuration.getMarshallerFactory().getMarshaller(spEntitiesDescriptor);
+			out.marshall(spEntitiesDescriptor, document);
+			
+			Signer.signObject(entitiesSignature);
+			
+			Transformer transformer = TransformerFactory.newInstance().newTransformer();
+			
+			StringWriter sw = new StringWriter();
+			StreamResult sr = new StreamResult(sw);
+			DOMSource source  = new DOMSource(document);
+			transformer.transform(source, sr);
+			sw.close();
+			
+			String metadataXML = sw.toString();
+						
+			response.setContentType("text/xml");
+			response.getOutputStream().write(metadataXML.getBytes());
+			
+			response.getOutputStream().close();
+			
+		} catch (ConfigurationException e) {
+			log.warn("Configuration can not be loaded.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (NoSuchAlgorithmException e) {
+			log.warn("Requested Algorithm could not found.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (KeyStoreException e) {
+			log.warn("Requested KeyStoreType is not implemented.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (CertificateException e) {
+			log.warn("KeyStore can not be opend or userd.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (SecurityException e) {
+			log.warn("KeyStore can not be opend or used", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (ParserConfigurationException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (MarshallingException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (SignatureException e) {
+			log.warn("PVP2 Metadata can not be signed", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerConfigurationException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerFactoryConfigurationError e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+		}
+		
+		catch (Exception e) {
+			log.warn("Unspecific PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+		}
+
+	}
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+	}
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
new file mode 100644
index 000000000..d08354c43
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
@@ -0,0 +1,60 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.util.Iterator;
+
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+
+import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
+
+public class MetaDataVerificationFilter implements MetadataFilter {
+
+	BasicX509Credential credential;
+	
+	public MetaDataVerificationFilter(BasicX509Credential credential) {
+		this.credential = credential;
+	}
+	
+	
+	public void doFilter(XMLObject metadata) throws FilterException {
+		if (metadata instanceof EntitiesDescriptor) {
+			EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
+			
+			if(entitiesDescriptor.getSignature() == null) {
+				throw new FilterException("Root element of metadata file has to be signed", null);
+			}
+			try {
+				processEntitiesDescriptor(entitiesDescriptor);
+				
+			} catch (MOAIDException e) {
+				throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
+			}
+		}
+	}
+	
+	private void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException {
+		Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator();
+		
+		if(desc.getSignature() != null) {
+			EntityVerifier.verify(desc, this.credential);
+		}
+		
+		while(entID.hasNext()) {
+			processEntitiesDescriptor(entID.next());
+		}
+		
+		Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();
+		
+		while(entIT.hasNext()) {
+			EntityDescriptor entity = entIT.next();
+			if (entity.getSignature() != null)
+				EntityVerifier.verify(entity);
+		}
+	}
+	
+}