ConfigWebTool Version 0.9.5

 --PVP2 Login
 --PVP2 Users to UserDatabase functionality
 --Mailaddress verification
 --Mail status messages to users and admin
 --add List with OpenRequests for admins
 --change OA Target configuration
 --add cleanUp Thread to remove old unused UserAccount requests
 --update UserDatabase to support PVP2 logins
 --add formID element validate received forms

 -- add first classes for STORK configuration

make some Bugfixes

33 files changed, 3928 insertions, 464 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java
index d088edf34..47e6e83d5 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java
@@ -1,29 +1,49 @@
 package at.gv.egovernment.moa.id.configuration;
 
 public class Constants {
+	public static final String FILEPREFIX = "file:";
+	
+	public static final String SERVLET_PVP2ASSERTION = "pvp2login.action";
+	public static final String SERVLET_ACCOUNTVERIFICATION = "mailAddressVerification.action";
+	
 	public static final String STRUTS_SUCCESS = "success";
 	public static final String STRUTS_ERROR = "error";
 	public static final String STRUTS_ERROR_VALIDATION = "error_validation";
 	public static final String STRUTS_OA_EDIT = "editOA";
 	public static final String STRUTS_REAUTHENTICATE = "reauthentication";
 	public static final String STRUTS_NOTALLOWED = "notallowed";
+	public static final String STRUTS_NEWUSER = "newuser";
+	public static final String STRUTS_SSOLOGOUT = "ssologout";
 	
 	public static final String SESSION_AUTH = "authsession";
 	public static final String SESSION_AUTH_ERROR = "authsessionerror";
 	public static final String SESSION_OAID = "oadbidentifier";
+	public static final String SESSION_FORMID = "formId";
+	public static final String SESSION_FORM = "form";
+	public static final String SESSION_PVP2REQUESTID = "pvp2requestid";
+	public static final String SESSION_RETURNAREA = "returnarea";
+	
+	public static enum STRUTS_RETURNAREA_VALUES {adminRequestsInit, main, usermanagementInit}; 
 	
 	public static final String REQUEST_OAID = "oaid";
+	public static final String REQUEST_USERREQUESTTOKKEN = "tokken";
 	
 	public static final String BKU_ONLINE = "bkuonline";
 	public static final String BKU_LOCAL = "bkulocal";
 	public static final String BKU_HANDY = "bkuhandy";
 	
-	
 	public static final String MOA_CONFIG_BUSINESSSERVICE = "businessService";
-	
 	public static final String MOA_CONFIG_PROTOCOL_SAML1 = "id_saml1";
 	public static final String MOA_CONFIG_PROTOCOL_PVP2 = "id_pvp2x";
 	
 	public static final String DEFAULT_LOCALBKU_URL = "https://127.0.0.1:3496/https-security-layer-request";
 	public static final String DEFAULT_HANDYBKU_URL = "https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx";
+	
+	public static final String PUBLICSERVICE_URL_POSTFIX = ".gv.at";
+	
+	public static final String IDENIFICATIONTYPE_FN = "FN";
+	public static final String IDENIFICATIONTYPE_ERSB = "ERSB";
+	public static final String IDENIFICATIONTYPE_ZVR = "ZVR";
+	
+	public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+";
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
index 8f75a357c..009a13f4b 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java
@@ -2,14 +2,19 @@ package at.gv.egovernment.moa.id.configuration.auth;
 
 import java.util.Date;
 
+import at.gv.egovernment.moa.id.configuration.helper.DateTimeHelper;
+
 public class AuthenticatedUser {
 
 	private boolean isAuthenticated = false;
 	private boolean isAdmin = false;
+	private boolean isPVP2Login = false;
+	private boolean isMandateUser = false;
 	
 	private long userID;
 	private String givenName;
 	private String familyName;
+	private String institute;
 	private String userName;
 	private Date lastLogin;
 
@@ -17,18 +22,26 @@ public class AuthenticatedUser {
 		
 	}
 	
-	public AuthenticatedUser(long userID, String givenName, String familyName, String userName,
-			boolean isAuthenticated, boolean isAdmin) {
+	public AuthenticatedUser(long userID, String givenName, String familyName, String institute, 
+			String userName, boolean isAuthenticated, boolean isAdmin, boolean isMandateUser, 
+			boolean isPVP2Login) {
 		
 		this.familyName = familyName;
 		this.givenName = givenName;
 		this.userName = userName;
 		this.userID = userID;
+		this.institute = institute;
 		this.isAdmin = isAdmin;
 		this.isAuthenticated = isAuthenticated;
+		this.isMandateUser = isMandateUser;
+		this.isPVP2Login = isPVP2Login;
 		this.lastLogin = new Date();
 	}
 
+	public String getFormatedLastLogin() {
+		return DateTimeHelper.getDateTime(lastLogin);
+	}
+	
 	/**
 	 * @return the isAuthenticated
 	 */
@@ -105,7 +118,7 @@ public class AuthenticatedUser {
 	public Date getLastLogin() {
 		return lastLogin;
 	}
-
+	
 	/**
 	 * @param lastLogin the lastLogin to set
 	 */
@@ -126,8 +139,49 @@ public class AuthenticatedUser {
 	public void setUserName(String userName) {
 		this.userName = userName;
 	}
+
+	/**
+	 * @return the institute
+	 */
+	public String getInstitute() {
+		return institute;
+	}
+
+	/**
+	 * @param institute the institute to set
+	 */
+	public void setInstitute(String institute) {
+		this.institute = institute;
+	}
+
+	/**
+	 * @return the isPVP2Login
+	 */
+	public boolean isPVP2Login() {
+		return isPVP2Login;
+	}
+
+	/**
+	 * @param isPVP2Login the isPVP2Login to set
+	 */
+	public void setPVP2Login(boolean isPVP2Login) {
+		this.isPVP2Login = isPVP2Login;
+	}
+
+	/**
+	 * @return the isMandateUser
+	 */
+	public boolean isMandateUser() {
+		return isMandateUser;
+	}
+
+	/**
+	 * @param isMandateUser the isMandateUser to set
+	 */
+	public void setMandateUser(boolean isMandateUser) {
+		this.isMandateUser = isMandateUser;
+	}
 	
 	
-	
-	
+
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/AttributeListBuilder.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/AttributeListBuilder.java
new file mode 100644
index 000000000..199e89d7c
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/AttributeListBuilder.java
@@ -0,0 +1,50 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+
+import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+
+public class AttributeListBuilder implements PVPConstants{
+
+	protected static RequestedAttribute buildReqAttribute(String name, String friendlyName, boolean required) {
+		RequestedAttribute attribute = SAML2Utils.createSAMLObject(RequestedAttribute.class);
+		attribute.setIsRequired(required);
+		attribute.setName(name);
+		attribute.setFriendlyName(friendlyName);
+		attribute.setNameFormat(Attribute.URI_REFERENCE);
+		return attribute;
+	}
+	
+	public static List<RequestedAttribute> getRequestedAttributes() {
+		List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+		
+		requestedAttributes.add(buildReqAttribute(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(GIVEN_NAME_NAME, GIVEN_NAME_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(BIRTHDATE_NAME, BIRTHDATE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(BPK_NAME, BPK_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(EID_CITIZEN_QAA_LEVEL_NAME, EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(EID_ISSUING_NATION_NAME, EID_ISSUING_NATION_FRIENDLY_NAME, true));
+		requestedAttributes.add(buildReqAttribute(EID_SECTOR_FOR_IDENTIFIER_NAME, EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, true));
+		
+		requestedAttributes.add(buildReqAttribute(MANDATE_TYPE_NAME, MANDATE_TYPE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_LEG_PER_FULL_NAME_NAME, MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_LEG_PER_SOURCE_PIN_NAME, MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false));
+		
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_BIRTHDATE_NAME, MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_BPK_NAME, MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_FAMILY_NAME_NAME, MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_NAT_PER_GIVEN_NAME_NAME, MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false));
+		
+		requestedAttributes.add(buildReqAttribute(MANDATE_REFERENCE_VALUE_NAME, MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_PROF_REP_OID_NAME, MANDATE_PROF_REP_OID_FRIENDLY_NAME, false));
+		requestedAttributes.add(buildReqAttribute(MANDATE_PROF_REP_DESC_NAME, MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false));
+		return requestedAttributes;
+	}
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
new file mode 100644
index 000000000..ed496ae16
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/Authenticate.java
@@ -0,0 +1,245 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
+import org.joda.time.DateTime;
+import org.opensaml.Configuration;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCredentialResolverFactory;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.credential.BasicCredential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.iaik.commons.util.ConfigException;
+
+
+/**
+ * Servlet implementation class Authenticate
+ */
+public class Authenticate extends HttpServlet {
+	private static final long serialVersionUID = 1L;
+
+	private static final Logger log = LoggerFactory
+			.getLogger(Authenticate.class);	
+	/**
+	 * @see HttpServlet#HttpServlet()
+	 */
+	public Authenticate() {
+		super();
+		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		factory.setNamespaceAware(true);
+		try {
+			builder = factory.newDocumentBuilder();
+		} catch (ParserConfigurationException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	DocumentBuilder builder;
+
+	public Document asDOMDocument(XMLObject object) throws IOException,
+			MarshallingException, TransformerException {
+		Document document = builder.newDocument();
+		Marshaller out = Configuration.getMarshallerFactory().getMarshaller(
+				object);
+		out.marshall(object, document);
+		return document;
+	}
+
+	protected void process(HttpServletRequest request,
+			HttpServletResponse response, Map<String,String> legacyParameter) throws ServletException, IOException {
+		try {
+			
+			ConfigurationProvider config = ConfigurationProvider.getInstance();
+			config.initializePVP2Login();
+			
+			AuthnRequest authReq = SAML2Utils
+					.createSAMLObject(AuthnRequest.class);
+			SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+			authReq.setID(gen.generateIdentifier());
+			
+			HttpSession session = request.getSession();
+			if (session != null) {
+				session.setAttribute(Constants.SESSION_PVP2REQUESTID, authReq.getID());
+			}
+			
+			authReq.setAssertionConsumerServiceIndex(0);
+			authReq.setAttributeConsumingServiceIndex(0);
+			authReq.setIssueInstant(new DateTime());
+			Subject subject = SAML2Utils.createSAMLObject(Subject.class);
+			NameID name = SAML2Utils.createSAMLObject(NameID.class);
+			Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+			
+			String serviceURL = config.getPublicUrlPreFix(request);
+			if (!serviceURL.endsWith("/"))
+				serviceURL = serviceURL + "/";
+			name.setValue(serviceURL);
+			issuer.setValue(serviceURL);
+
+			subject.setNameID(name);
+			authReq.setSubject(subject);
+			issuer.setFormat(NameIDType.ENTITY);
+			authReq.setIssuer(issuer);
+			NameIDPolicy policy = SAML2Utils
+					.createSAMLObject(NameIDPolicy.class);
+			policy.setAllowCreate(true);
+			policy.setFormat(NameID.PERSISTENT);
+			authReq.setNameIDPolicy(policy);
+			
+			String entityname = config.getPVP2IDPMetadataEntityName();
+			if (MiscUtil.isEmpty(entityname)) {
+				log.info("No IDP EntityName configurated");
+				throw new ConfigurationException("No IDP EntityName configurated");
+			}
+			
+			HTTPMetadataProvider idpmetadata = config.getMetaDataProvier();
+			EntityDescriptor idpEntity = idpmetadata.getEntityDescriptor(entityname);
+			if (idpEntity == null) {
+				log.info("IDP EntityName is not found in IDP Metadata");
+				throw new ConfigurationException("IDP EntityName is not found in IDP Metadata");
+			}
+			
+			SingleSignOnService redirectEndpoint = null;  
+			for (SingleSignOnService sss : 
+					idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
+				
+				if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { //Get the service address for the binding you wish to use  
+					redirectEndpoint = sss;  
+				}  
+			}
+						
+			authReq.setDestination(redirectEndpoint.getLocation());
+			
+			RequestedAuthnContext reqAuthContext = 
+					SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
+			
+			AuthnContextClassRef authnClassRef = 
+					SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+			
+			authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+
+			reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+			
+			reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);
+			
+			authReq.setRequestedAuthnContext(reqAuthContext);
+			
+			KeyStore keyStore = config.getPVP2KeyStore();
+
+			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreAuthRequestKeyAlias(), 
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
+
+			Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
+			signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+			signer.setSigningCredential(authcredential);
+
+			authReq.setSignature(signer);
+
+			VelocityEngine engine = new VelocityEngine();
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+			engine.setProperty("classpath.resource.loader.class",
+					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+			engine.init();
+
+			HTTPPostEncoder encoder = new HTTPPostEncoder(engine,
+					"templates/pvp_postbinding_template.html");
+			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+					response, true);
+			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			SingleSignOnService service = new SingleSignOnServiceBuilder()
+					.buildObject();
+			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+			service.setLocation(redirectEndpoint.getLocation());;
+			
+			context.setOutboundSAMLMessageSigningCredential(authcredential);
+			context.setPeerEntityEndpoint(service);
+			context.setOutboundSAMLMessage(authReq);
+			context.setOutboundMessageTransport(responseAdapter);
+
+			encoder.encode(context);
+
+		} catch (Exception e) {
+			log.warn("Authentication Request can not be generated", e);
+			throw new ServletException("Authentication Request can not be generated.", e);
+		}
+	}
+
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+				
+		process(request, response, null);
+	}
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		process(request, response, null);
+	}
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
new file mode 100644
index 000000000..fa02443dc
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/BuildMetadata.java
@@ -0,0 +1,288 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.apache.log4j.Logger;
+import org.opensaml.Configuration;
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.ServiceName;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.SignatureException;
+import org.opensaml.xml.signature.Signer;
+import org.w3c.dom.Document;
+
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.utils.SAML2Utils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * Servlet implementation class BuildMetadata
+ */
+public class BuildMetadata extends HttpServlet {
+	private static final long serialVersionUID = 1L;
+	
+	private static final Logger log = Logger.getLogger(BuildMetadata.class);
+
+	/**
+	 * @see HttpServlet#HttpServlet()
+	 */
+	public BuildMetadata() {
+		super();
+	}
+
+	protected static Signature getSignature(Credential credentials) {
+		Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+		signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+		signer.setSigningCredential(credentials);
+		return signer;
+	}
+	
+	/**
+	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doGet(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+		try {
+			ConfigurationProvider config = ConfigurationProvider.getInstance();
+			
+			//config.initializePVP2Login();
+			
+			SecureRandomIdentifierGenerator idGen = new SecureRandomIdentifierGenerator();
+			
+			EntitiesDescriptor spEntitiesDescriptor = SAML2Utils.
+					createSAMLObject(EntitiesDescriptor.class);
+			
+			String name = config.getPVP2MetadataEntitiesName();
+			if (MiscUtil.isEmpty(name)) {
+				log.info("NO Metadata EntitiesName configurated");
+				throw new ConfigurationException("NO Metadata EntitiesName configurated");
+			}
+			
+			spEntitiesDescriptor.setName(name);
+			spEntitiesDescriptor.setID(idGen.generateIdentifier());
+			
+			EntityDescriptor spEntityDescriptor = SAML2Utils
+					.createSAMLObject(EntityDescriptor.class);
+
+			spEntitiesDescriptor.getEntityDescriptors().add(spEntityDescriptor);
+			
+			String serviceURL = config.getPublicUrlPreFix(request);
+			if (!serviceURL.endsWith("/"))
+				serviceURL = serviceURL + "/";
+			
+			log.debug("Set OnlineApplicationURL to " + serviceURL);
+			spEntityDescriptor.setEntityID(serviceURL);
+
+			SPSSODescriptor spSSODescriptor = SAML2Utils
+					.createSAMLObject(SPSSODescriptor.class);
+
+			spSSODescriptor.setAuthnRequestsSigned(true);
+			spSSODescriptor.setWantAssertionsSigned(true);
+
+			X509KeyInfoGeneratorFactory keyInfoFactory = new X509KeyInfoGeneratorFactory();
+			keyInfoFactory.setEmitEntityCertificate(true);
+			KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance();
+			
+			KeyStore keyStore = config.getPVP2KeyStore();
+
+			X509Credential signingcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreMetadataKeyAlias(), 
+					config.getPVP2KeystoreMetadataKeyPassword().toCharArray());
+
+			
+			log.debug("Set Metadata key information");
+			//Set MetaData Signing key
+			KeyDescriptor entitiesSignKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			entitiesSignKeyDescriptor.setUse(UsageType.SIGNING);
+			entitiesSignKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingcredential));
+			Signature entitiesSignature = getSignature(signingcredential);
+			
+			X509Credential authcredential = new KeyStoreX509CredentialAdapter(
+					keyStore, 
+					config.getPVP2KeystoreAuthRequestKeyAlias(), 
+					config.getPVP2KeystoreAuthRequestKeyPassword().toCharArray());
+			
+			
+			//Set AuthRequest Signing certificate
+			KeyDescriptor signKeyDescriptor = SAML2Utils
+					.createSAMLObject(KeyDescriptor.class);
+			signKeyDescriptor.setUse(UsageType.SIGNING);
+			signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential));	
+			spEntitiesDescriptor.setSignature(entitiesSignature);
+			spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
+			
+			NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			persistentnameIDFormat.setFormat(NameIDType.PERSISTENT);
+			
+			spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat);
+			
+			NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			transientnameIDFormat.setFormat(NameIDType.TRANSIENT);
+			
+			spSSODescriptor.getNameIDFormats().add(transientnameIDFormat);
+			
+			NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class);
+			unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED);
+			
+			spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat);
+						
+			AssertionConsumerService postassertionConsumerService = 
+					SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+			
+			postassertionConsumerService.setIndex(0);
+			postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
+			postassertionConsumerService.setLocation(serviceURL + Constants.SERVLET_PVP2ASSERTION);
+			
+			spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService);
+			
+			spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
+			
+			spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+			
+			spSSODescriptor.setWantAssertionsSigned(true);
+			spSSODescriptor.setAuthnRequestsSigned(true);
+			AttributeConsumingService attributeService = 
+					SAML2Utils.createSAMLObject(AttributeConsumingService.class);
+			
+			attributeService.setIndex(0);
+			attributeService.setIsDefault(true);
+			ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class);
+			serviceName.setName(new LocalizedString("Default Service", "de"));
+			attributeService.getNames().add(serviceName);
+			
+			attributeService.getRequestAttributes().addAll(AttributeListBuilder.getRequestedAttributes());
+			
+			spSSODescriptor.getAttributeConsumingServices().add(attributeService);
+
+			DocumentBuilder builder;
+			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+			
+			builder = factory.newDocumentBuilder();
+			Document document = builder.newDocument();
+			Marshaller out = Configuration.getMarshallerFactory().getMarshaller(spEntitiesDescriptor);
+			out.marshall(spEntitiesDescriptor, document);
+			
+			Signer.signObject(entitiesSignature);
+			
+			Transformer transformer = TransformerFactory.newInstance().newTransformer();
+			
+			StringWriter sw = new StringWriter();
+			StreamResult sr = new StreamResult(sw);
+			DOMSource source  = new DOMSource(document);
+			transformer.transform(source, sr);
+			sw.close();
+			
+			String metadataXML = sw.toString();
+						
+			response.setContentType("text/xml");
+			response.getOutputStream().write(metadataXML.getBytes());
+			
+			response.getOutputStream().close();
+			
+		} catch (ConfigurationException e) {
+			log.warn("Configuration can not be loaded.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (NoSuchAlgorithmException e) {
+			log.warn("Requested Algorithm could not found.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (KeyStoreException e) {
+			log.warn("Requested KeyStoreType is not implemented.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (CertificateException e) {
+			log.warn("KeyStore can not be opend or userd.", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (SecurityException e) {
+			log.warn("KeyStore can not be opend or used", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (ParserConfigurationException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (MarshallingException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (SignatureException e) {
+			log.warn("PVP2 Metadata can not be signed", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerConfigurationException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerFactoryConfigurationError e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+			
+		} catch (TransformerException e) {
+			log.warn("PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+		}
+		
+		catch (Exception e) {
+			log.warn("Unspecific PVP2 Metadata createn error", e);
+			throw new ServletException("MetaData can not be created. Look into LogFiles for more details.");
+		}
+
+	}
+
+	/**
+	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+	 *      response)
+	 */
+	protected void doPost(HttpServletRequest request,
+			HttpServletResponse response) throws ServletException, IOException {
+	}
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
new file mode 100644
index 000000000..d08354c43
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
@@ -0,0 +1,60 @@
+package at.gv.egovernment.moa.id.configuration.auth.pvp2;
+
+import java.util.Iterator;
+
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+
+import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
+
+public class MetaDataVerificationFilter implements MetadataFilter {
+
+	BasicX509Credential credential;
+	
+	public MetaDataVerificationFilter(BasicX509Credential credential) {
+		this.credential = credential;
+	}
+	
+	
+	public void doFilter(XMLObject metadata) throws FilterException {
+		if (metadata instanceof EntitiesDescriptor) {
+			EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
+			
+			if(entitiesDescriptor.getSignature() == null) {
+				throw new FilterException("Root element of metadata file has to be signed", null);
+			}
+			try {
+				processEntitiesDescriptor(entitiesDescriptor);
+				
+			} catch (MOAIDException e) {
+				throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
+			}
+		}
+	}
+	
+	private void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException {
+		Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator();
+		
+		if(desc.getSignature() != null) {
+			EntityVerifier.verify(desc, this.credential);
+		}
+		
+		while(entID.hasNext()) {
+			processEntitiesDescriptor(entID.next());
+		}
+		
+		Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();
+		
+		while(entIT.hasNext()) {
+			EntityDescriptor entity = entIT.next();
+			if (entity.getSignature() != null)
+				EntityVerifier.verify(entity);
+		}
+	}
+	
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
index aeadbd0bb..f08632d83 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/config/ConfigurationProvider.java
@@ -1,24 +1,55 @@
 package at.gv.egovernment.moa.id.configuration.config;
 
+import iaik.x509.X509Certificate;
+
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
 import java.util.Properties;
+import java.util.Timer;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.log4j.Logger;
+import org.opensaml.DefaultBootstrap;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.security.x509.BasicX509Credential;
 
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.auth.pvp2.MetaDataVerificationFilter;
 import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
-import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.id.configuration.utils.UserRequestCleaner;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 
 public class ConfigurationProvider {
 
+	private static final Logger log = Logger.getLogger(ConfigurationProvider.class);
+	
 	private static final String SYSTEM_PROP_CONFIG = "moa.id.webconfig";
 	
 	private static ConfigurationProvider instance;
 	private Properties props;
 	private String configFileName;
+	private String configRootDir;
+	
+	private HTTPMetadataProvider idpMetadataProvider = null;
+	private KeyStore keyStore = null;
+	
+	private String publicURLPreFix = null;
+	
+	private boolean pvp2logininitialzied = false;
 	
 	public static ConfigurationProvider getInstance() throws ConfigurationException {
 		if (instance == null) {
@@ -39,10 +70,14 @@ public class ConfigurationProvider {
 	    if (configFileName == null) {
 	        throw new ConfigurationException("config.01");
 	    }
-	    Logger.info("Loading MOA-ID-AUTH configuration " + configFileName);
+	    
+		// determine the directory of the root config file
+	    configRootDir = new File(configFileName).getParent();	
+	    
+	    log.info("Loading MOA-ID-AUTH configuration " + configFileName);
 	    
 		//Initial Hibernate Framework
-		Logger.trace("Initializing Hibernate framework.");
+		log.trace("Initializing Hibernate framework.");
 			
 		//Load MOAID-2.0 properties file
 		File propertiesFile = new File(configFileName);
@@ -60,26 +95,349 @@ public class ConfigurationProvider {
 				//Initial config Database
 				ConfigurationDBUtils.initHibernate(props);			
 			  }
-			Logger.trace("Hibernate initialization finished.");
+			log.trace("Hibernate initialization finished.");
 			
+			DefaultBootstrap.bootstrap();
+			log.info("OPENSAML initialized");
+
+			//TODO: start CleanUP Thread
+			UserRequestCleaner.start();
 			
-				
+							
 		} catch (FileNotFoundException e) {
 			throw new ConfigurationException("config.01", e);
+			
 		} catch (IOException e) {
 			throw new ConfigurationException("config.02", e);
+			
 		} catch (MOADatabaseException e) {
 			throw new ConfigurationException("config.03", e);
+			
+		} catch (org.opensaml.xml.ConfigurationException e) {
+			throw new ConfigurationException("config.04", e);
 		}
 			
 	}
 	
+	public String getPublicUrlPreFix(HttpServletRequest request) {
+		publicURLPreFix = props.getProperty("general.publicURLContext");
+		
+		if (MiscUtil.isEmpty(publicURLPreFix) && request != null) {
+			String url = request.getRequestURL().toString();
+			String contextpath = request.getContextPath();
+			int index = url.indexOf(contextpath);
+			publicURLPreFix = url.substring(0, index + contextpath.length() + 1);
+		} 
+		
+		return publicURLPreFix;
+	}
+	
+	public int getUserRequestCleanUpDelay() {
+		String delay = props.getProperty("general.userrequests.cleanup.delay");
+		return Integer.getInteger(delay, 12);
+	}
+	
+	public String getContactMailAddress() {
+		return props.getProperty("general.contact.mail");
+	}
+	
+	public String getSSOLogOutURL() {
+		return props.getProperty("general.login.pvp2.idp.sso.logout.url");
+	}
+	
+	public KeyStore getPVP2KeyStore() throws ConfigurationException, IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException {
+		if (keyStore == null) {
+			String keystoretype = getPVP2MetadataKeystoreType();
+			if (MiscUtil.isEmpty(keystoretype)) {
+				log.debug("No KeyStoreType defined. Using default KeyStoreType.");
+				keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+				
+			} else {
+				log.debug("Using " + keystoretype + " KeyStoreType.");
+				keyStore = KeyStore.getInstance(keystoretype);
+
+			}
+			
+			
+			String file = getPVP2MetadataKeystoreURL();	
+			log.debug("Load KeyStore from URL " + file);
+			if (MiscUtil.isEmpty(file)) {
+				log.info("Metadata KeyStoreURL is empty");
+				throw new ConfigurationException("Metadata KeyStoreURL is empty");
+			}
+			
+			FileInputStream inputStream = new FileInputStream(file);
+			keyStore.load(inputStream, getPVP2MetadataKeystorePassword().toCharArray());
+			inputStream.close();
+		}
+		
+		return keyStore;
+		
+	}
+
+	public String getConfigFile() {
+		return configFileName;
+	}
+	
+	public String getConfigRootDir() {
+		return configRootDir;
+	}
+	
 	public boolean isLoginDeaktivated() {
 		String result = props.getProperty("general.login.deaktivate", "false");
 		return Boolean.parseBoolean(result);
 	}
 	
-	public String getConfigFile() {
-		return configFileName;
+	public boolean isOATargetVerificationDeaktivated() {
+		String result = props.getProperty("general.OATargetVerification.deaktivate", "false");
+		return Boolean.parseBoolean(result);
+	}
+	
+	//PVP2 Login configuration
+	
+	public void initializePVP2Login() throws ConfigurationException {
+		if (!pvp2logininitialzied)
+			initalPVP2Login();
+	}
+	
+	public boolean isPVP2LoginActive() {
+		if (!pvp2logininitialzied)
+			return false;
+		
+		String result = props.getProperty("general.login.pvp2.isactive", "false");
+		return Boolean.parseBoolean(result);
+	}
+	
+	public boolean isPVP2LoginBusinessService() {
+		String result = props.getProperty("general.login.pvp2.isbusinessservice", "false");
+		return Boolean.parseBoolean(result);
+	}	
+	
+	public String getPVP2LoginTarget() {
+		return props.getProperty("general.login.pvp2.target");
+	}
+
+	public String getPVP2LoginIdenificationValue() {
+		return props.getProperty("general.login.pvp2.identificationvalue");
+	}
+	
+	public String getPVP2MetadataEntitiesName() {
+		return props.getProperty("general.login.pvp2.metadata.entities.name");
+	}
+	
+	public String getPVP2MetadataKeystoreURL() {
+		return props.getProperty("general.login.pvp2.keystore.url");
+	}
+	
+	public String getPVP2MetadataKeystorePassword() {
+		return props.getProperty("general.login.pvp2.keystore.password");
+	}
+	
+	public String getPVP2MetadataKeystoreType() {
+		return props.getProperty("general.login.pvp2.keystore.type");
+	}
+
+	public String getPVP2KeystoreMetadataKeyAlias() {
+		return props.getProperty("general.login.pvp2.keystore.metadata.key.alias");
+	}
+	
+	public String getPVP2KeystoreMetadataKeyPassword() {
+		return props.getProperty("general.login.pvp2.keystore.metadata.key.password");
+	}
+	
+	public String getPVP2KeystoreAuthRequestKeyAlias() {
+		return props.getProperty("general.login.pvp2.keystore.authrequest.key.alias");
+	}
+	
+	public String getPVP2KeystoreAuthRequestKeyPassword() {
+		return props.getProperty("general.login.pvp2.keystore.authrequest.key.password");
+	}
+	
+	public String getPVP2IDPMetadataURL() {
+		return props.getProperty("general.login.pvp2.idp.metadata.url");
+	}
+	
+	public String getPVP2IDPMetadataCertificate() {
+		return props.getProperty("general.login.pvp2.idp.metadata.certificate");
+	}
+	
+	public String getPVP2IDPMetadataEntityName() {
+		return props.getProperty("general.login.pvp2.idp.metadata.entityID");
+	}
+	
+	public HTTPMetadataProvider getMetaDataProvier() {
+		return idpMetadataProvider;
+	}
+	
+	
+	//SMTP Server
+	public String getSMTPMailHost() {
+		return props.getProperty("general.mail.host");
+	}
+	
+	public String getSMTPMailPort() {
+		return props.getProperty("general.mail.host.port");
+	}
+	
+	public String getSMTPMailUsername() {
+		return props.getProperty("general.mail.host.username");
+	}
+	
+	public String getSMTPMailPassword() {
+		return props.getProperty("general.mail.host.password");
+	}
+	
+	//Mail Configuration
+	public String getMailFromName() {
+		return props.getProperty("general.mail.from.name");
+	}
+	
+	public String getMailFromAddress() {
+		return props.getProperty("general.mail.from.address");
+	}
+	
+	public String getMailUserAcountVerificationSubject() {
+		return props.getProperty("general.mail.useraccountrequest.verification.subject");
+	}
+	
+	public String getMailUserAcountVerificationTemplate() throws ConfigurationException {
+		String url = props.getProperty("general.mail.useraccountrequest.verification.template");
+		
+		if (MiscUtil.isNotEmpty(url)) {
+			if (url.startsWith(Constants.FILEPREFIX))
+				return url;
+			
+			else
+				return configRootDir + "/" + url;
+					
+		} else {
+			log.warn("MailUserAcountVerificationTemplate is empty");
+			throw new ConfigurationException("MailUserAcountVerificationTemplate is empty");
+			
+		}
+	}
+	
+	public String getMailUserAcountActivationSubject() {
+		return props.getProperty("general.mail.useraccountrequest.isactive.subject");
+	}
+	
+	public String getMailUserAcountActivationTemplate() throws ConfigurationException {
+		String url = props.getProperty("general.mail.useraccountrequest.isactive.template");
+		
+		if (MiscUtil.isNotEmpty(url)) {
+			if (url.startsWith(Constants.FILEPREFIX))
+				return url;
+			
+			else
+				return configRootDir + "/" + url;
+					
+		} else {
+			log.warn("MailUserAcountVerificationTemplate is empty");
+			throw new ConfigurationException("MailUserAcountActivationTemplate is empty");
+			
+		}
+	}
+	
+	public String getMailOAActivationSubject() {
+		return props.getProperty("general.mail.createOArequest.isactive.subject");
+	}
+	
+	public String getMailOAActivationTemplate() throws ConfigurationException {
+		String url = props.getProperty("general.mail.createOArequest.isactive.template");
+		
+		if (MiscUtil.isNotEmpty(url)) {
+			if (url.startsWith(Constants.FILEPREFIX))
+				return url;
+			
+			else
+				return configRootDir + "/" + url;
+					
+		} else {
+			log.warn("MailOAActivationTemplate is empty");
+			throw new ConfigurationException("MailOAActivationTemplate is empty");
+			
+		}
+	}
+	
+	public String getMailUserAcountRevocationTemplate() throws ConfigurationException {
+		String url = props.getProperty("general.mail.useraccountrequest.rejected.template");
+		
+		if (MiscUtil.isNotEmpty(url)) {
+			if (url.startsWith(Constants.FILEPREFIX))
+				return url;
+			
+			else
+				return configRootDir + "/" + url;
+					
+		} else {
+			log.warn("MailUserAcountVerificationTemplate is empty");
+			throw new ConfigurationException("MailUserAcountRevocationTemplate is empty");
+			
+		}
+	}
+	
+	public String getMailAdminSubject() {
+		return props.getProperty("general.mail.admin.subject");
+	}
+	
+	public String getMailAdminTemplate() throws ConfigurationException {
+		String url = props.getProperty("general.mail.admin.adresses.template");
+		
+		if (MiscUtil.isNotEmpty(url)) {
+			if (url.startsWith(Constants.FILEPREFIX))
+				return url;
+			
+			else
+				return configRootDir + "/" + url;
+					
+		} else {
+			log.warn("MailUserAcountVerificationTemplate is empty");
+			throw new ConfigurationException("MailAdminTemplate is empty");
+			
+		}
+	}
+
+	public String getMailAdminAddress() {
+		return props.getProperty("general.mail.admin.adress");
+	}
+	
+	
+	private void initalPVP2Login() throws ConfigurationException {
+		try {
+					
+			String metadataCert = getPVP2IDPMetadataCertificate();
+			if (MiscUtil.isEmpty(metadataCert)) {
+				log.info("NO IDP Certificate to verify IDP Metadata");
+				throw new ConfigurationException("NO IDP Certificate to verify IDP Metadata");
+			}
+			
+			InputStream certstream = new FileInputStream(metadataCert);
+			X509Certificate cert = new X509Certificate(certstream);
+			BasicX509Credential idpCredential = new BasicX509Credential();
+			idpCredential.setEntityCertificate(cert);
+			
+			log.debug("IDP Certificate loading finished");
+			
+			String metadataurl = getPVP2IDPMetadataURL();
+			if (MiscUtil.isEmpty(metadataurl)) {
+				log.info("NO IDP Metadata URL.");
+				throw new ConfigurationException("NO IDP Metadata URL.");
+			}
+						
+			idpMetadataProvider = new HTTPMetadataProvider(new Timer(), new HttpClient(), metadataurl);  
+			idpMetadataProvider.setRequireValidMetadata(true);  
+			idpMetadataProvider.setParserPool(new BasicParserPool());
+			idpMetadataProvider.setMetadataFilter(new MetaDataVerificationFilter(idpCredential));
+			idpMetadataProvider.setMaxRefreshDelay(1000 * 3600 * 12 ); //refresh Metadata every 12h
+			idpMetadataProvider.initialize(); 
+						
+			pvp2logininitialzied = true;
+			
+		} catch (Exception e) {
+			log.warn("PVP2 authentification can not be initialized.");
+			throw new ConfigurationException("PVP2 authentification can not be initialized.", e);
+		}
+		
+		
 	}
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralStorkConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralStorkConfig.java
new file mode 100644
index 000000000..d0b108e1e
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/GeneralStorkConfig.java
@@ -0,0 +1,5 @@
+package at.gv.egovernment.moa.id.configuration.data;
+
+public class GeneralStorkConfig {
+
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/StorkAttributes.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/StorkAttributes.java
new file mode 100644
index 000000000..b1857aea1
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/StorkAttributes.java
@@ -0,0 +1,28 @@
+package at.gv.egovernment.moa.id.configuration.data;
+
+public class StorkAttributes {
+
+
+	public AttributValues eIdentifier;
+	
+	
+	public void parse() {
+		eIdentifier = AttributValues.MANDATORY;
+	}
+	
+	
+	public enum AttributValues {
+		MANDATORY, OPTIONAL, NOT;
+		
+		public String getValue() {
+			if (this == MANDATORY)
+				return MANDATORY.name();
+			if (this == OPTIONAL)
+				return OPTIONAL.name();
+			else
+				return NOT.name();
+		}
+	}
+	
+}
+
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java
index 881cdf277..ab08b458a 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java
@@ -2,7 +2,6 @@ package at.gv.egovernment.moa.id.configuration.data;
 
 import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
 import at.gv.egovernment.moa.util.MiscUtil;
-import at.gv.util.data.BPK;
 
 public class UserDatabaseFrom {
 	
@@ -18,10 +17,14 @@ public class UserDatabaseFrom {
 	private boolean active = false;
 	private boolean admin = false;
 	private boolean passwordActive;
+	private boolean isusernamepasswordallowed = false;
+	private boolean isadminrequest = true;
+	private boolean ismandateuser = false;
+	private boolean isPVPGenerated; 
 	private String userID = null;
 	
 	public UserDatabaseFrom() {
-		
+
 	}
 	
 	public UserDatabaseFrom(UserDatabase db) {
@@ -41,6 +44,26 @@ public class UserDatabaseFrom {
 		active = db.isIsActive();
 		admin = db.isIsAdmin();
 		
+		if (db.isIsUsernamePasswordAllowed() != null)
+			isusernamepasswordallowed = db.isIsUsernamePasswordAllowed();
+		else
+			isusernamepasswordallowed = true;
+		
+		if (db.isIsAdminRequest() != null)
+			isadminrequest = db.isIsAdminRequest();
+		else
+			isadminrequest = false;
+		
+		if (db.isIsMandateUser() != null)
+			ismandateuser = db.isIsMandateUser();
+		else
+			ismandateuser = false;
+		
+		if (db.isIsPVP2Generated() != null)
+			isPVPGenerated = db.isIsPVP2Generated();
+		else
+			isPVPGenerated = false;
+		
 		userID = String.valueOf(db.getHjid());
 	}
 
@@ -247,7 +270,62 @@ public class UserDatabaseFrom {
 	public void setPassword_second(String password_second) {
 		this.password_second = password_second;
 	}
+
+	/**
+	 * @return the isusernamepasswordallowed
+	 */
+	public boolean isIsusernamepasswordallowed() {
+		return isusernamepasswordallowed;
+	}
+
+	/**
+	 * @param isusernamepasswordallowed the isusernamepasswordallowed to set
+	 */
+	public void setIsusernamepasswordallowed(boolean isusernamepasswordallowed) {
+		this.isusernamepasswordallowed = isusernamepasswordallowed;
+	}
+
+	/**
+	 * @return the ismandateuser
+	 */
+	public boolean isIsmandateuser() {
+		return ismandateuser;
+	}
 	
 	
+	/**
+	 * @param ismandateuser the ismandateuser to set
+	 */
+	public void setIsmandateuser(boolean ismandateuser) {
+		this.ismandateuser = ismandateuser;
+	}
+
+	/**
+	 * @return the isadminrequest
+	 */
+	public boolean isIsadminrequest() {
+		return isadminrequest;
+	}
+
+	/**
+	 * @param isadminrequest the isadminrequest to set
+	 */
+	public void setIsadminrequest(boolean isadminrequest) {
+		this.isadminrequest = isadminrequest;
+	}
+
+	/**
+	 * @return the isPVPGenerated
+	 */
+	public boolean isPVPGenerated() {
+		return isPVPGenerated;
+	}
+
+	/**
+	 * @param isPVPGenerated the isPVPGenerated to set
+	 */
+	public void setPVPGenerated(boolean isPVPGenerated) {
+		this.isPVPGenerated = isPVPGenerated;
+	}
 	
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java
index 57ae4863a..2b4ea53c1 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java
@@ -1,9 +1,11 @@
 package at.gv.egovernment.moa.id.configuration.data.oa;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
 import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA;
@@ -18,6 +20,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType;
 import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType;
 import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType;
 import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.validation.TargetValidator;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 
@@ -35,19 +38,21 @@ public class OAGeneralConfig {
 	private boolean businessService = false;
 	
 	private String target = null;
+	private String target_subsector = null;
+	private String target_admin = null;
+	private static List<String> targetList = null;
 	private String targetFriendlyName = null;
+	private boolean isAdminTarget = false;
 	
 	private String identificationNumber = null;
 	private String identificationType = null;
+	private static List<String> identificationTypeList = null;
 	
 	private String aditionalAuthBlockText = null;
 		
 	private String mandateProfiles = null;
 	
 	private boolean isActive = false;
-	private String slVersion = null;
-	private boolean useIFrame = false;
-	private boolean useUTC = false;
 	private boolean calculateHPI = false;
 	
 	private String keyBoxIdentifier = null;
@@ -56,6 +61,8 @@ public class OAGeneralConfig {
 	private boolean legacy = false;
 	List<String> SLTemplates = null;
 		
+	private boolean isHideBPKAuthBlock = false;
+	
 	private Map<String, byte[]> transformations;
 	
 
@@ -69,6 +76,14 @@ public class OAGeneralConfig {
 		 
 		 bkuLocalURL = Constants.DEFAULT_LOCALBKU_URL;
 		 bkuHandyURL = Constants.DEFAULT_HANDYBKU_URL;
+
+		 targetList = TargetValidator.getListOfTargets();
+		 target = "";
+
+		 identificationTypeList = Arrays.asList(
+				 Constants.IDENIFICATIONTYPE_FN,
+				 Constants.IDENIFICATIONTYPE_ZVR,
+				 Constants.IDENIFICATIONTYPE_ERSB);
 	}
 	
 	
@@ -81,8 +96,32 @@ public class OAGeneralConfig {
 		keyBoxIdentifier = dbOAConfig.getKeyBoxIdentifier().value();		
 		
 		identifier = dbOAConfig.getPublicURLPrefix();
-		target = dbOAConfig.getTarget();
-		targetFriendlyName = dbOAConfig.getTargetFriendlyName();
+		
+		String target_full = dbOAConfig.getTarget();
+		
+		if (MiscUtil.isNotEmpty(target_full)) {
+			String[] target_split = target_full.split("-");
+
+			if (TargetValidator.isValidTarget(target_full)) {
+				target = dbOAConfig.getTarget();
+				if (target_split.length > 1)
+					target_subsector = target_split[1];
+				
+			} else {
+				if (TargetValidator.isValidTarget(target_split[0])) {
+					target = target_split[0];
+					if (target_split.length > 1)
+						target_subsector = target_split[1];
+					
+				} else {
+					target = "";
+					target_subsector = null;
+					target_admin = target_full;
+					isAdminTarget = true;
+				}
+			}
+			targetFriendlyName = dbOAConfig.getTargetFriendlyName();
+		}
 		
 		if (dbOAConfig.getType().equals(Constants.MOA_CONFIG_BUSINESSSERVICE))
 			businessService = true;
@@ -127,7 +166,15 @@ public class OAGeneralConfig {
 			
 			IdentificationNumber idnumber = oaauth.getIdentificationNumber();
 			if (idnumber != null) {
-				identificationNumber = idnumber.getValue();
+				String number = idnumber.getValue();
+				if (MiscUtil.isNotEmpty(number)) {
+					String[] split = number.split("\\+");
+				
+					if (Constants.PREFIX_WPBK.startsWith(split[0]) && split.length >= 2) {
+						identificationType = split[1];
+						identificationNumber = split[2];
+					}
+				}
 			}
 			
 			Mandates mandates = oaauth.getMandates();
@@ -135,8 +182,6 @@ public class OAGeneralConfig {
 				mandateProfiles = mandates.getProfiles();
 			}
 			
-			slVersion = oaauth.getSlVersion();
-			
 			TemplatesType templates = oaauth.getTemplates();
 			if (templates != null) {
 				aditionalAuthBlockText = templates.getAditionalAuthBlockText();
@@ -162,11 +207,9 @@ public class OAGeneralConfig {
 				transformations.put(el.getFilename(), el.getTransformation());
 			}
 						 
-			 useIFrame = oaauth.isUseIFrame();
-			 useUTC = oaauth.isUseUTC();
 		}
 		
-		
+		isHideBPKAuthBlock = dbOAConfig.isRemoveBPKFromAuthBlock();
 		
 		
 	}
@@ -243,30 +286,6 @@ public class OAGeneralConfig {
 		this.isActive = isActive;
 	}
 
-	public String getSlVersion() {
-		return slVersion;
-	}
-
-	public void setSlVersion(String slVersion) {
-		this.slVersion = slVersion;
-	}
-
-	public boolean isUseIFrame() {
-		return useIFrame;
-	}
-
-	public void setUseIFrame(boolean useIFrame) {
-		this.useIFrame = useIFrame;
-	}
-
-	public boolean isUseUTC() {
-		return useUTC;
-	}
-
-	public void setUseUTC(boolean useUTC) {
-		this.useUTC = useUTC;
-	}
-
 	public boolean isBusinessService() {
 		return businessService;
 	}
@@ -461,6 +480,84 @@ public class OAGeneralConfig {
 		SLTemplates.add(sLTemplateURL3);
 	}
 
-	
+
+	/**
+	 * @return the target_subsector
+	 */
+	public String getTarget_subsector() {
+		return target_subsector;
+	}
+
+
+	/**
+	 * @param target_subsector the target_subsector to set
+	 */
+	public void setTarget_subsector(String target_subsector) {
+		this.target_subsector = target_subsector;
+	}
+
+
+	/**
+	 * @return the target_admin
+	 */
+	public String getTarget_admin() {
+		return target_admin;
+	}
+
+
+	/**
+	 * @param target_admin the target_admin to set
+	 */
+	public void setTarget_admin(String target_admin) {
+		this.target_admin = target_admin;
+	}
+
+
+	/**
+	 * @return the targetList
+	 */
+	public List<String> getTargetList() {
+		return targetList;
+	}
+
+
+	/**
+	 * @return the identificationTypeList
+	 */
+	public List<String> getIdentificationTypeList() {
+		return identificationTypeList;
+	}
+
+
+	/**
+	 * @return the isAdminTarget
+	 */
+	public boolean isAdminTarget() {
+		return isAdminTarget;
+	}
+
+
+	/**
+	 * @param isAdminTarget the isAdminTarget to set
+	 */
+	public void setAdminTarget(boolean isAdminTarget) {
+		this.isAdminTarget = isAdminTarget;
+	}
+
+
+	/**
+	 * @return the isHideBPKAuthBlock
+	 */
+	public boolean isHideBPKAuthBlock() {
+		return isHideBPKAuthBlock;
+	}
+
+
+	/**
+	 * @param isHideBPKAuthBlock the isHideBPKAuthBlock to set
+	 */
+	public void setHideBPKAuthBlock(boolean isHideBPKAuthBlock) {
+		this.isHideBPKAuthBlock = isHideBPKAuthBlock;
+	}
 	
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/exception/ConfigurationException.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/exception/ConfigurationException.java
index e83bf6997..0c78f996c 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/exception/ConfigurationException.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/exception/ConfigurationException.java
@@ -1,5 +1,7 @@
 package at.gv.egovernment.moa.id.configuration.exception;
 
+import javax.mail.MessagingException;
+
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
 
 public class ConfigurationException extends Exception {
@@ -14,4 +16,8 @@ public class ConfigurationException extends Exception {
 		super(LanguageHelper.getErrorString(errorname), e);
 	}
 
+	public ConfigurationException(Throwable e) {
+		super(e);
+	}
+
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
index 7dac458ca..9f81e1212 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java
@@ -129,7 +129,7 @@ public class AuthenticationFilter implements Filter{
 							
 				if (authuser == null) {
 
-					authuser = new AuthenticatedUser(0, "Max", "TestUser", "maxtestuser", true, true);
+					authuser = new AuthenticatedUser(0, "Max", "TestUser", null, "maxtestuser", true, true, false, false);
 					//authuser = new AuthenticatedUser(1, "Max", "TestUser", true, false);
 					httpServletRequest.getSession().setAttribute(Constants.SESSION_AUTH, authuser);
 				}
@@ -184,7 +184,7 @@ public class AuthenticationFilter implements Filter{
 			filterchain.doFilter(req, resp);
 			
 		} catch (Exception e) {
-			
+						
 //			String redirectURL = "./index.action";
 //			HttpServletResponse httpResp = (HttpServletResponse) resp;
 //			redirectURL = httpResp.encodeRedirectURL(redirectURL);
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/DateTimeHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/DateTimeHelper.java
new file mode 100644
index 000000000..aed20ce9e
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/DateTimeHelper.java
@@ -0,0 +1,37 @@
+package at.gv.egovernment.moa.id.configuration.helper;
+
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import org.apache.log4j.Logger;
+
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class DateTimeHelper {
+
+	private static final Logger log = Logger.getLogger(DateTimeHelper.class);
+	
+	private static final String DATETIMEPATTERN = "dd.MM.yyy HH:mm";
+	
+	public static String getDateTime(Date date) {
+		SimpleDateFormat f = new SimpleDateFormat(DATETIMEPATTERN);
+		return f.format(date);
+	}
+	
+	public static Date parseDateTime(String date) {
+		SimpleDateFormat f = new SimpleDateFormat(DATETIMEPATTERN);
+		
+		if (MiscUtil.isNotEmpty(date)) {
+		
+			try {
+				return f.parse(date);
+			
+			} catch (ParseException e) {
+				log.warn("Parse DATETIME String " + date + " failed", e);
+				
+			}
+		}
+		return null;
+	}
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
new file mode 100644
index 000000000..d2814f6a6
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java
@@ -0,0 +1,53 @@
+package at.gv.egovernment.moa.id.configuration.helper;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
+import at.gv.egovernment.moa.id.configuration.data.OAListElement;
+
+public class FormDataHelper {
+
+	public static ArrayList<OAListElement> addFormOAs(List<OnlineApplication> dbOAs) {
+		
+		ArrayList<OAListElement> formOAs = new ArrayList<OAListElement>();
+
+		for (OnlineApplication dboa : dbOAs) {
+			OAListElement listoa = new OAListElement();
+			listoa.setActive(dboa.isIsActive());
+			listoa.setDataBaseID(dboa.getHjid());
+			listoa.setOaFriendlyName(dboa.getFriendlyName());
+			listoa.setOaIdentifier(dboa.getPublicURLPrefix());
+			listoa.setOaType(dboa.getType());
+			formOAs.add(listoa);
+		}
+		
+		return formOAs;
+	}
+	
+	public static ArrayList<AuthenticatedUser> addFormUsers(List<UserDatabase> dbuserlist) {
+		ArrayList<AuthenticatedUser> userlist = new ArrayList<AuthenticatedUser>();
+		
+		for (UserDatabase dbuser : dbuserlist) {
+			
+			boolean ismandate = false;
+			if (dbuser.isIsMandateUser() != null)
+				ismandate = dbuser.isIsMandateUser();
+			
+			
+			userlist.add(new AuthenticatedUser(
+					dbuser.getHjid(), 
+					dbuser.getGivenname(), 
+					dbuser.getFamilyname(),
+					dbuser.getInstitut(),
+					dbuser.getUsername(),
+					dbuser.isIsActive(), 
+					dbuser.isIsAdmin(),
+					ismandate,
+					false));
+		}
+		return userlist;
+	}
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/MailHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/MailHelper.java
new file mode 100644
index 000000000..3081f3929
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/MailHelper.java
@@ -0,0 +1,254 @@
+package at.gv.egovernment.moa.id.configuration.helper;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.io.UnsupportedEncodingException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Properties;
+
+import javax.mail.BodyPart;
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Session;
+import javax.mail.Transport;
+import javax.mail.internet.InternetAddress;
+import javax.mail.internet.MimeBodyPart;
+import javax.mail.internet.MimeMessage;
+import javax.mail.internet.MimeMultipart;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.log4j.Logger;
+
+import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class MailHelper {
+
+	private static final Logger log = Logger.getLogger(MailHelper.class);
+
+	private static final String PATTERN_GIVENNAME = "#GIVENNAME#";
+	private static final String PATTERN_FAMILYNAME = "#FAMILYNAME#";
+	private static final String PATTERN_URL = "#MANDATE_SERVICE_LINK#";
+	private static final String PATTERN_DATE = "#TODAY_DATE#";
+	private static final String PATTERN_OPENOAS = "#NUMBER_OAS#";
+	private static final String PATTERN_OPENUSERS = "#NUMBER_USERSS#";
+	private static final String PATTERN_OANAME = "#OANAME#";
+	
+	public static void sendUserMailAddressVerification(UserDatabase userdb) throws ConfigurationException {
+		
+		ConfigurationProvider config = ConfigurationProvider.getInstance();
+		String templateurl = config.getMailUserAcountVerificationTemplate();
+		
+		String template = readTemplateFromURL(templateurl);
+		
+		if (userdb.isIsMandateUser()) {
+			template = template.replace(PATTERN_GIVENNAME, userdb.getInstitut());
+			template = template.replace(PATTERN_FAMILYNAME, "");
+			
+		} else {
+			template = template.replace(PATTERN_GIVENNAME, userdb.getGivenname());
+			template = template.replace(PATTERN_FAMILYNAME, userdb.getFamilyname());
+		}
+		
+		SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");	
+		template = template.replace(PATTERN_DATE, dateformat.format(new Date()));
+		
+		String verificationURL = config.getPublicUrlPreFix(null);
+		
+		if (!verificationURL.endsWith("/"))
+			verificationURL = verificationURL + "/";
+		
+		verificationURL = verificationURL + Constants.SERVLET_ACCOUNTVERIFICATION + 
+				"?" + Constants.REQUEST_USERREQUESTTOKKEN +
+				"=" + userdb.getUserRequestTokken();
+		template = template.replace(PATTERN_URL, verificationURL);
+		
+		sendMail(config, config.getMailUserAcountVerificationSubject(), 
+				userdb.getMail(), template);
+		
+	}
+	
+	public static void sendAdminMail(int numOpenOAs, int numOpenUsers) throws ConfigurationException {
+		ConfigurationProvider config = ConfigurationProvider.getInstance();
+		String templateurl = config.getMailAdminTemplate();
+		
+		String template = readTemplateFromURL(templateurl);
+		template = template.replace(PATTERN_OPENOAS, String.valueOf(numOpenOAs));
+		template = template.replace(PATTERN_OPENUSERS, String.valueOf(numOpenUsers));
+		
+		SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");	
+		template = template.replace(PATTERN_DATE, dateformat.format(new Date()));
+		
+		sendMail(config, config.getMailAdminSubject(), config.getMailAdminAddress(), template);
+		
+	}
+	
+	public static void sendUserAccountActivationMail(String givenname, String familyname, String institut, String mailurl) throws ConfigurationException {
+		ConfigurationProvider config = ConfigurationProvider.getInstance();
+		String templateurl = config.getMailUserAcountActivationTemplate();
+		
+		String template = readTemplateFromURL(templateurl);
+		if (MiscUtil.isNotEmpty(institut)) {
+			template = template.replace(PATTERN_GIVENNAME, institut);
+			template = template.replace(PATTERN_FAMILYNAME, "");
+			
+		} else {
+			template = template.replace(PATTERN_GIVENNAME, givenname);
+			template = template.replace(PATTERN_FAMILYNAME, familyname);
+		}
+			
+		
+		SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");	
+		template = template.replace(PATTERN_DATE, dateformat.format(new Date()));
+		
+		String verificationURL = config.getPublicUrlPreFix(null);
+		if (!verificationURL.endsWith("/"))
+			verificationURL = verificationURL + "/";
+		
+		template = template.replace(PATTERN_URL, verificationURL);
+		
+		sendMail(config, config.getMailUserAcountActivationSubject(), 
+				mailurl, template);
+	}
+	
+	public static void sendUserOnlineApplicationActivationMail(String givenname, String familyname, String institut, String oaname, String mailurl) throws ConfigurationException {
+		ConfigurationProvider config = ConfigurationProvider.getInstance();
+		String templateurl = config.getMailOAActivationTemplate();
+		
+		String template = readTemplateFromURL(templateurl);
+		if (MiscUtil.isNotEmpty(institut)) {
+			template = template.replace(PATTERN_GIVENNAME, institut);
+			template = template.replace(PATTERN_FAMILYNAME, "");
+			
+		} else {
+			template = template.replace(PATTERN_GIVENNAME, givenname);
+			template = template.replace(PATTERN_FAMILYNAME, familyname);
+		}
+			
+		template = template.replace(PATTERN_OANAME, oaname);
+		
+		SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");	
+		template = template.replace(PATTERN_DATE, dateformat.format(new Date()));
+		
+		String verificationURL = config.getPublicUrlPreFix(null);
+		if (!verificationURL.endsWith("/"))
+			verificationURL = verificationURL + "/";
+		
+		template = template.replace(PATTERN_URL, verificationURL);
+		
+		sendMail(config, config.getMailOAActivationSubject(), 
+				mailurl, template);
+	}
+	
+	public static void sendUserAccountRevocationMail(UserDatabase userdb) throws ConfigurationException {
+		ConfigurationProvider config = ConfigurationProvider.getInstance();
+		String templateurl = config.getMailUserAcountRevocationTemplate();
+		
+		String template = readTemplateFromURL(templateurl);
+		
+		if (userdb.isIsMandateUser()) {
+			template = template.replace(PATTERN_GIVENNAME, userdb.getInstitut());
+			template = template.replace(PATTERN_FAMILYNAME, "");
+			
+		} else {
+			template = template.replace(PATTERN_GIVENNAME, userdb.getGivenname());
+			template = template.replace(PATTERN_FAMILYNAME, userdb.getFamilyname());
+		}
+		
+		SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");	
+		template = template.replace(PATTERN_DATE, dateformat.format(new Date()));
+				
+		sendMail(config, config.getMailUserAcountActivationSubject(), 
+				userdb.getMail(), template);
+	}
+	
+	private static String readTemplateFromURL(String templateurl) throws ConfigurationException {
+		InputStream input;
+		try {
+			File file = new File(templateurl);
+			input = new  FileInputStream(file);
+			StringWriter writer = new StringWriter();
+			IOUtils.copy(input, writer);
+			input.close();
+			return writer.toString();
+			
+		} catch (Exception e)  {
+			log.warn("Mailtemplate can not be read from source" + templateurl);
+			throw new ConfigurationException("Mailtemplate can not be read from source" + templateurl);
+			
+		}
+	}
+	
+	private static void sendMail(ConfigurationProvider config, String subject, String recipient, String content) throws ConfigurationException {
+		try {
+			log.debug("Sending mail.");
+			MiscUtil.assertNotNull(subject, "subject");
+			MiscUtil.assertNotNull(recipient, "recipient");
+			MiscUtil.assertNotNull(content, "content");
+						
+			Properties props = new Properties();
+			props.setProperty("mail.transport.protocol", "smtp");
+			props.setProperty("mail.host", config.getSMTPMailHost());
+			log.trace("Mail host: " + config.getSMTPMailHost());
+			if (config.getSMTPMailPort() != null) {
+				log.trace("Mail port: " + config.getSMTPMailPort());
+				props.setProperty("mail.port", config.getSMTPMailPort());
+			}
+			if (config.getSMTPMailUsername() != null) {
+				log.trace("Mail user: " + config.getSMTPMailUsername());
+				props.setProperty("mail.user", config.getSMTPMailUsername());
+			}
+			if (config.getSMTPMailPassword() != null) {
+				log.trace("Mail password: " + config.getSMTPMailPassword());
+				props.setProperty("mail.password", config.getSMTPMailPassword());
+			}
+	    
+			Session mailSession = Session.getDefaultInstance(props, null);
+			Transport transport = mailSession.getTransport();
+	
+			MimeMessage message = new MimeMessage(mailSession);
+			message.setSubject(subject);
+			log.trace("Mail from: " + config.getMailFromName() + "/" + config.getMailFromAddress());
+			message.setFrom(new InternetAddress(config.getMailFromAddress(), config.getMailFromName()));
+			log.trace("Recipient: " + recipient);
+			message.addRecipient(Message.RecipientType.TO, new InternetAddress(recipient));
+	    
+			log.trace("Creating multipart content of mail.");
+			MimeMultipart multipart = new MimeMultipart("related");
+	    
+			log.trace("Adding first part (html)");
+			BodyPart messageBodyPart = new MimeBodyPart();
+			messageBodyPart.setContent(content, "text/html; charset=ISO-8859-15");
+			multipart.addBodyPart(messageBodyPart);
+	
+//			log.trace("Adding mail images");
+//			messageBodyPart = new MimeBodyPart();
+//			for (Image image : images) {
+//				messageBodyPart.setDataHandler(new DataHandler(image));
+//				messageBodyPart.setHeader("Content-ID", "<" + image.getContentId() + ">");
+//				multipart.addBodyPart(messageBodyPart);
+//			}
+			
+			message.setContent(multipart);
+			transport.connect();
+			log.trace("Sending mail message.");
+			transport.sendMessage(message, message.getRecipients(Message.RecipientType.TO));
+			log.trace("Successfully sent.");
+			transport.close();
+			
+		} catch(MessagingException e) {
+			throw new ConfigurationException(e);
+			
+		} catch (UnsupportedEncodingException e) {
+			throw new ConfigurationException(e);
+			
+		}
+	}
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java
index 3f6005b97..bad522a4b 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java
@@ -10,6 +10,7 @@ import java.util.Set;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 import org.apache.struts2.interceptor.ServletRequestAware;
@@ -53,6 +54,7 @@ import at.gv.egovernment.moa.id.configuration.data.GeneralMOAIDConfig;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
 import at.gv.egovernment.moa.id.configuration.validation.moaconfig.MOAConfigValidator;
 import at.gv.egovernment.moa.id.configuration.validation.moaconfig.PVP2ContactValidator;
+import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 import com.opensymphony.xwork2.ActionSupport;
@@ -67,12 +69,18 @@ public class EditGeneralConfigAction extends ActionSupport
 	private HttpServletResponse response;
 	
 	private AuthenticatedUser authUser; 
-	
 	private GeneralMOAIDConfig moaconfig;
 	
+	private String formID;
+	
 	public String loadConfig() {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 			
 		if (authUser.isAdmin()) {
@@ -84,6 +92,9 @@ public class EditGeneralConfigAction extends ActionSupport
 			
 			ConfigurationDBUtils.closeSession();
 			
+			formID = Random.nextRandom();
+			session.setAttribute(Constants.SESSION_FORMID, formID);
+			
 			return Constants.STRUTS_SUCCESS;
 		
 		} else {
@@ -93,11 +104,30 @@ public class EditGeneralConfigAction extends ActionSupport
 	}
 	
 	public String saveConfig() {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
-		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 		
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
 		if (authUser.isAdmin()) {
 			
 			MOAConfigValidator validator = new MOAConfigValidator();
@@ -109,6 +139,8 @@ public class EditGeneralConfigAction extends ActionSupport
 				for (String el : errors)
 					addActionError(el);	
 				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			}
 			
@@ -505,6 +537,20 @@ public class EditGeneralConfigAction extends ActionSupport
 	public void setMoaconfig(GeneralMOAIDConfig moaconfig) {
 		this.moaconfig = moaconfig;
 	}
+
+	/**
+	 * @return the formID
+	 */
+	public String getFormID() {
+		return formID;
+	}
+
+	/**
+	 * @param formID the formID to set
+	 */
+	public void setFormID(String formID) {
+		this.formID = formID;
+	}
 	
 	
 	
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
index 297d80726..8d20fe118 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 import org.apache.struts2.interceptor.ServletRequestAware;
@@ -38,13 +39,17 @@ import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config;
 import at.gv.egovernment.moa.id.configuration.data.oa.OASAML1Config;
 import at.gv.egovernment.moa.id.configuration.data.oa.OASSOConfig;
 import at.gv.egovernment.moa.id.configuration.data.oa.OASTORKConfig;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
+import at.gv.egovernment.moa.id.configuration.helper.MailHelper;
+import at.gv.egovernment.moa.id.configuration.validation.TargetValidator;
 import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper;
 import at.gv.egovernment.moa.id.configuration.validation.oa.OAGeneralConfigValidation;
 import at.gv.egovernment.moa.id.configuration.validation.oa.OAPVP2ConfigValidation;
 import at.gv.egovernment.moa.id.configuration.validation.oa.OASAML1ConfigValidation;
 import at.gv.egovernment.moa.id.configuration.validation.oa.OASSOConfigValidation;
 import at.gv.egovernment.moa.id.configuration.validation.oa.OASTORKConfigValidation;
+import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 import com.opensymphony.xwork2.ActionSupport;
@@ -63,6 +68,9 @@ ServletResponseAware {
 	
 	private String oaidobj;
 	private boolean newOA;
+	private String formID;
+	
+	private String nextPage;
 	
 	private OAGeneralConfig generalOA = new OAGeneralConfig();
 	private OAPVP2Config pvp2OA = new OAPVP2Config();
@@ -72,11 +80,16 @@ ServletResponseAware {
 	
 	//STRUTS actions
 	public String inital() {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		
 		authUser = (AuthenticatedUser) authUserObj;
-
+		
 		long oaid = -1;
 		
 		if (!ValidationHelper.validateOAID(oaidobj)) {
@@ -88,8 +101,15 @@ ServletResponseAware {
 		OnlineApplication onlineapplication = null;;
 		if (authUser.isAdmin())
 			onlineapplication = ConfigurationDBRead.getOnlineApplication(oaid);
+		
 		else {
 			UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID());
+
+			if (!userdb.isIsMailAddressVerified() && !authUser.isAdmin()) {
+				log.info("Online-Applikation managemant disabled. Mail address is not verified.");
+				addActionError(LanguageHelper.getErrorString("error.editoa.mailverification"));
+			}
+			
 			List<OnlineApplication> oas = userdb.getOnlineApplication();
 			for (OnlineApplication oa : oas) {
 				if (oa.getHjid() == oaid) {
@@ -115,7 +135,10 @@ ServletResponseAware {
 		
 		ConfigurationDBUtils.closeSession();
 	
-		request.getSession().setAttribute(Constants.SESSION_OAID, oaid);
+		session.setAttribute(Constants.SESSION_OAID, oaid);
+		
+		formID = Random.nextRandom();
+		session.setAttribute(Constants.SESSION_FORMID, formID);
 		
 		newOA = false;
 		
@@ -124,24 +147,66 @@ ServletResponseAware {
 	
 	public String newOA() {
 		log.debug("insert new Online-Application");
+	
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
+	
+		session.setAttribute(Constants.SESSION_OAID, null);
+		nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name();
 		
-		request.getSession().setAttribute(Constants.SESSION_OAID, null);
-		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		
 		authUser = (AuthenticatedUser) authUserObj;
 	
+		UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID());
+		if (!userdb.isIsMailAddressVerified() && !authUser.isAdmin()) {
+			log.info("Online-Applikation managemant disabled. Mail address is not verified.");
+			addActionError(LanguageHelper.getErrorString("error.editoa.mailverification"));
+		}
+		
 		newOA = true;
 		
+		formID = Random.nextRandom();
+		session.setAttribute(Constants.SESSION_FORMID, formID);
+		
 		return Constants.STRUTS_OA_EDIT;
 	}
 	
 	public String saveOA() {
-
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
+		UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID());
+		if (!authUser.isAdmin() && !userdb.isIsMailAddressVerified()) {
+			log.info("Online-Applikation managemant disabled. Mail address is not verified.");
+			addActionError(LanguageHelper.getErrorString("error.editoa.mailverification"));
+			return Constants.STRUTS_SUCCESS;
+		}
+		
 		OnlineApplication onlineapplication = null;
 		List<String> errors = new ArrayList<String>();
 		
@@ -170,15 +235,15 @@ ServletResponseAware {
 			
 		} else {
 			
-			//TODO: oaidentifier has to be a URL according to PVP2.1 specification
-			if (ValidationHelper.isValidOAIdentifier(oaidentifier)) {
-				log.warn("IdentificationNumber contains potentail XSS characters: " + oaidentifier);
+			if (!ValidationHelper.validateURL(oaidentifier)) {
+				log.warn("OnlineapplikationIdentifier is not a valid URL: " + oaidentifier);
 				errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", 
 						new Object[] {ValidationHelper.getNotValidOAIdentifierCharacters()} ));
 			} else {
 			
 				if (oaid == -1) {
 					onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier);
+					newOA = true;
 					if (onlineapplication != null)  {
 						log.info("The OAIdentifier is not unique");
 						errors.add(LanguageHelper.getErrorString("validation.general.oaidentifier.notunique"));
@@ -215,23 +280,108 @@ ServletResponseAware {
 			for (String el : errors)
 				addActionError(el);	
 			
+			formID = Random.nextRandom();
+			session.setAttribute(Constants.SESSION_FORMID, formID);
 			return Constants.STRUTS_ERROR_VALIDATION;
 			
 		} else {
 			
-			String error = saveOAConfigToDatabase(onlineapplication);
+			boolean newentry = false;
+			
+			if (onlineapplication == null) {
+				onlineapplication = new OnlineApplication();
+				newentry = true;
+				onlineapplication.setIsActive(false);
+								
+				if (!authUser.isAdmin()) {
+					onlineapplication.setIsAdminRequired(true);
+				}
+				
+			} else {
+				if (!authUser.isAdmin() && 
+						!onlineapplication.getPublicURLPrefix().
+						equals(generalOA.getIdentifier())) {
+					
+					onlineapplication.setIsAdminRequired(true);
+					onlineapplication.setIsActive(false);
+					log.info("User with ID " + authUser.getUserID() 
+							+ " change OA-PublicURLPrefix. Reaktivation is required.");
+				}
+				
+			}
+			
+			if ( (onlineapplication.isIsAdminRequired() == null) || 
+					(authUser.isAdmin() && generalOA.isActive() 
+										&& onlineapplication.isIsAdminRequired()) ) {
+				
+				onlineapplication.setIsAdminRequired(false);
+				
+				UserDatabase user = ConfigurationDBRead.getUsersWithOADBID(onlineapplication.getHjid());
+				if (user != null) {
+					try {
+						MailHelper.sendUserOnlineApplicationActivationMail(
+								user.getGivenname(), 
+								user.getFamilyname(), 
+								user.getInstitut(), 
+								onlineapplication.getPublicURLPrefix(), 
+								user.getMail());
+					} catch (ConfigurationException e) {
+						log.warn("Sending Mail to User " + user.getMail() + " failed", e);
+					}
+				}
+				
+			}
+			
+			
+			String error = saveOAConfigToDatabase(onlineapplication, newentry);
 			if (MiscUtil.isNotEmpty(error)) {
 				log.warn("OA configuration can not be stored!");
-				addActionError(error);	
+				addActionError(error);
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			}
 		}
 		
 
+		Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA);	
+		if (nextPageAttr != null && nextPageAttr instanceof String) {
+			nextPage = (String) nextPageAttr;
+			session.setAttribute(Constants.SESSION_RETURNAREA, null);
+			
+		} else {
+			nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name();
+		}
 		
-		request.getSession().setAttribute(Constants.SESSION_OAID, null);
-		addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success", generalOA.getIdentifier(), request));
 		
+		if (onlineapplication.isIsAdminRequired()) {
+			int numoas = 0;
+			int numusers = 0;
+			
+			List<OnlineApplication> openOAs = ConfigurationDBRead.getAllNewOnlineApplications();
+			if (openOAs != null)
+				numoas = openOAs.size();
+			
+			List<UserDatabase> openUsers = ConfigurationDBRead.getAllNewUsers();
+			if (openUsers != null)
+				numusers = openUsers.size();					
+			try {
+				
+				addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success.admin", generalOA.getIdentifier(), request));
+				
+				if (numusers > 0 || numoas > 0)
+					MailHelper.sendAdminMail(numoas, numusers);
+				
+			} catch (ConfigurationException e) {
+				log.warn("Sending Mail to Admin failed.", e);
+			}
+			
+		} else
+			addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.success", generalOA.getIdentifier(), request));	
+		
+	
+		request.getSession().setAttribute(Constants.SESSION_OAID, null);
 		ConfigurationDBUtils.closeSession();
 		
 		return Constants.STRUTS_SUCCESS;
@@ -239,7 +389,22 @@ ServletResponseAware {
 	
 	public String cancleAndBackOA() {
 		
-		request.getSession().setAttribute(Constants.SESSION_OAID, null);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
+
+		Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA);	
+		if (nextPageAttr != null && nextPageAttr instanceof String) {
+			nextPage = (String) nextPageAttr;
+			session.setAttribute(Constants.SESSION_RETURNAREA, null);
+			
+		} else {
+			nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name();
+		}
+		
+		session.setAttribute(Constants.SESSION_OAID, null);
 		
 		addActionMessage(LanguageHelper.getGUIString("webpages.oaconfig.cancle", generalOA.getIdentifier(), request));
 		
@@ -249,15 +414,52 @@ ServletResponseAware {
 	}
 	
 	public String deleteOA() {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
-
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 		
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
+		Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA);	
+		if (nextPageAttr != null && nextPageAttr instanceof String) {
+			nextPage = (String) nextPageAttr;
+			
+		} else {
+			nextPage = Constants.STRUTS_RETURNAREA_VALUES.main.name();
+		}
+				
+		UserDatabase userdb = ConfigurationDBRead.getUserWithID(authUser.getUserID());
+		if (!authUser.isAdmin() && !userdb.isIsMailAddressVerified()) {
+			log.info("Online-Applikation managemant disabled. Mail address is not verified.");
+			addActionError(LanguageHelper.getErrorString("error.editoa.mailverification"));
+			return Constants.STRUTS_SUCCESS;
+		}
+		
 		String oaidentifier = generalOA.getIdentifier();
 		if (MiscUtil.isEmpty(oaidentifier)) {
 			log.info("Empty OA identifier");
 			addActionError(LanguageHelper.getErrorString("validation.general.oaidentifier.empty"));
+			
+			formID = Random.nextRandom();
+			session.setAttribute(Constants.SESSION_FORMID, formID);
 			return Constants.STRUTS_ERROR_VALIDATION;
 			
 		} else {
@@ -265,6 +467,9 @@ ServletResponseAware {
 				log.warn("IdentificationNumber contains potentail XSS characters: " + oaidentifier);
 				addActionError(LanguageHelper.getErrorString("validation.general.oaidentifier.valid", 
 						new Object[] {ValidationHelper.getNotValidOAIdentifierCharacters()} ));
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			}
 		}
@@ -310,16 +515,8 @@ ServletResponseAware {
 
 	}
 	
-	private String saveOAConfigToDatabase(OnlineApplication dboa) {
-		
-		boolean newentry = false;
-		
-		if (dboa == null) {
-			dboa = new OnlineApplication();
-			newentry = true;
-			dboa.setIsActive(false);
-		}
-
+	private String saveOAConfigToDatabase(OnlineApplication dboa, boolean newentry) {
+						
 		AuthComponentOA authoa = dboa.getAuthComponentOA();
 		if (authoa == null) { 
 			authoa = new AuthComponentOA();
@@ -331,72 +528,134 @@ ServletResponseAware {
 		
 		dboa.setFriendlyName(generalOA.getFriendlyName());
 		dboa.setCalculateHPI(generalOA.isCalculateHPI());
-		dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.fromValue(generalOA.getKeyBoxIdentifier()));
+		dboa.setRemoveBPKFromAuthBlock(generalOA.isHideBPKAuthBlock());
+		
+		if (authUser.isAdmin())
+			dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.fromValue(generalOA.getKeyBoxIdentifier()));
+		else {
+			if (newentry)
+				dboa.setKeyBoxIdentifier(MOAKeyBoxSelector.SECURE_SIGNATURE_KEYPAIR);
+		}
+		
 		dboa.setPublicURLPrefix(generalOA.getIdentifier());
 		
 		if (generalOA.isBusinessService()) {
 			dboa.setType(Constants.MOA_CONFIG_BUSINESSSERVICE);
 			
+			String num = generalOA.getIdentificationNumber().replaceAll(" ", "");
+			if (num.startsWith(Constants.IDENIFICATIONTYPE_FN))
+				num = num.substring(Constants.IDENIFICATIONTYPE_FN.length());
+			
+			if (num.startsWith(Constants.IDENIFICATIONTYPE_ZVR))
+				num = num.substring(Constants.IDENIFICATIONTYPE_ZVR.length());
+			
+			if (num.startsWith(Constants.IDENIFICATIONTYPE_ERSB))
+				num = num.substring(Constants.IDENIFICATIONTYPE_ERSB.length());
+			
 			IdentificationNumber idnumber = new IdentificationNumber();
-			idnumber.setValue(generalOA.getIdentificationNumber());
+			idnumber.setValue(
+					Constants.PREFIX_WPBK + 
+					generalOA.getIdentificationType() + 
+					"+" + 
+					num);
+			
 			authoa.setIdentificationNumber(idnumber);
 			
 		} 
 		else {
 			dboa.setType(null);
-			dboa.setTarget(generalOA.getTarget());
-			dboa.setTargetFriendlyName(generalOA.getTargetFriendlyName());
 			
+			if (authUser.isAdmin()) {
+				if (MiscUtil.isNotEmpty(generalOA.getTarget_admin()) &&
+						generalOA.isAdminTarget() ) {
+					dboa.setTarget(generalOA.getTarget_admin());
+					dboa.setTargetFriendlyName(generalOA.getTargetFriendlyName());
+					
+				} else {
+					String target_full = generalOA.getTarget();
+					String[] target_split = target_full.split("-");
+					if (MiscUtil.isNotEmpty(generalOA.getTarget_subsector()))
+						dboa.setTarget(target_split[0] + "-" + generalOA.getTarget_subsector());
+					else
+						dboa.setTarget(target_full);
+					
+					String targetname = TargetValidator.getTargetFriendlyName(target_full);
+					if (MiscUtil.isNotEmpty(targetname))
+						dboa.setTargetFriendlyName(targetname);
+					else 
+						dboa.setTargetFriendlyName(TargetValidator.getTargetFriendlyName(target_split[0]));							
+				}
+				
+			} else {
+				if (MiscUtil.isNotEmpty(generalOA.getTarget())) {
+					String target_full = generalOA.getTarget();
+					String[] target_split = target_full.split("-");
+					dboa.setTarget(target_split[0] + "-" + generalOA.getTarget_subsector());
+					
+					if (MiscUtil.isNotEmpty(generalOA.getTarget_subsector()))
+						dboa.setTarget(target_split[0] + "-" + generalOA.getTarget_subsector());
+					
+					else
+						dboa.setTarget(target_full);
+					
+					String targetname = TargetValidator.getTargetFriendlyName(target_full);
+					if (MiscUtil.isNotEmpty(targetname))
+						dboa.setTargetFriendlyName(targetname);
+					else 
+						dboa.setTargetFriendlyName(TargetValidator.getTargetFriendlyName(target_split[0]));
+				}
+			}			
 		}
 		
 		BKUURLS bkuruls = new BKUURLS();
 		authoa.setBKUURLS(bkuruls);
-		bkuruls.setHandyBKU(generalOA.getBkuHandyURL());
-		bkuruls.setLocalBKU(generalOA.getBkuLocalURL());
-		bkuruls.setOnlineBKU(generalOA.getBkuOnlineURL());
+		if (authUser.isAdmin()) {
+			bkuruls.setHandyBKU(generalOA.getBkuHandyURL());
+			bkuruls.setLocalBKU(generalOA.getBkuLocalURL());
+			bkuruls.setOnlineBKU(generalOA.getBkuOnlineURL());
+		}
 		
 		Mandates mandates = new Mandates();
 		mandates.setProfiles(generalOA.getMandateProfiles());
 		authoa.setMandates(mandates);
-		
-		authoa.setSlVersion(generalOA.getSlVersion());
-		authoa.setUseIFrame(generalOA.isUseIFrame());
-		authoa.setUseUTC(generalOA.isUseUTC());
-		
+				
 		TemplatesType templates = authoa.getTemplates();
 		if (templates == null) {
 			templates = new TemplatesType();
 			authoa.setTemplates(templates);
 		}
-		templates.setAditionalAuthBlockText(generalOA.getAditionalAuthBlockText());
 		
-		List<TemplateType> template = templates.getTemplate();
-		if (generalOA.isLegacy()) {
+		if (authUser.isAdmin()) {
+			templates.setAditionalAuthBlockText(generalOA.getAditionalAuthBlockText());
+		
+			List<TemplateType> template = templates.getTemplate();
+			if (generalOA.isLegacy()) {
 			
-			if (template == null)
-				template = new ArrayList<TemplateType>();
-			else
-				template.clear();
+				if (template == null)
+					template = new ArrayList<TemplateType>();
+				else
+					template.clear();
 			
-			if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL1())) {
-				TemplateType el = new TemplateType();
-				el.setURL(generalOA.getSLTemplateURL1());
-				template.add(el);
-			}
-			if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL2())) {
-				TemplateType el = new TemplateType();
-				el.setURL(generalOA.getSLTemplateURL2());
-				template.add(el);
-			}
-			if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL3())) {
-				TemplateType el = new TemplateType();
-				el.setURL(generalOA.getSLTemplateURL3());
-				template.add(el);
+				if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL1())) {
+					TemplateType el = new TemplateType();
+					el.setURL(generalOA.getSLTemplateURL1());
+					template.add(el);
+				}
+				if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL2())) {
+					TemplateType el = new TemplateType();
+					el.setURL(generalOA.getSLTemplateURL2());
+					template.add(el);
+				}
+				if (MiscUtil.isNotEmpty(generalOA.getSLTemplateURL3())) {
+					TemplateType el = new TemplateType();
+					el.setURL(generalOA.getSLTemplateURL3());
+					template.add(el);
+				}
+				
+			} else {
+				if (template != null && template.size() > 0)
+					template.clear();
 			}
-			
-		} else {
-			if (template != null && template.size() > 0)
-				template.clear();
 		}
 				
 		//set default transformation if it is empty
@@ -609,4 +868,28 @@ ServletResponseAware {
 		this.newOA = newOA;
 	}
 
+	/**
+	 * @return the nextPage
+	 */
+	public String getNextPage() {
+		return nextPage;
+	}
+
+	/**
+	 * @return the formID
+	 */
+	public String getFormID() {
+		return formID;
+	}
+
+	/**
+	 * @param formID the formID to set
+	 */
+	public void setFormID(String formID) {
+		this.formID = formID;
+	}
+	
+	
+	
+
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java
index 1cb4fa802..d3d00186f 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java
@@ -3,26 +3,21 @@ package at.gv.egovernment.moa.id.configuration.struts.action;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.StringReader;
 import java.io.StringWriter;
-import java.net.MalformedURLException;
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Marshaller;
 import javax.xml.bind.Unmarshaller;
-import javax.xml.transform.Result;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.log4j.Logger;
 import org.apache.struts2.interceptor.ServletRequestAware;
 import org.apache.struts2.interceptor.ServletResponseAware;
-import org.hibernate.lob.ReaderInputStream;
-import org.w3c.dom.Node;
 
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
@@ -35,7 +30,7 @@ import at.gv.egovernment.moa.id.configuration.Constants;
 import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
 import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
-import at.iaik.commons.util.IOUtil;
+import at.gv.egovernment.moa.id.util.Random;
 
 import com.opensymphony.xwork2.ActionSupport;
 
@@ -51,6 +46,7 @@ implements ServletRequestAware, ServletResponseAware {
 	private HttpServletResponse response;
 	
 	private AuthenticatedUser authUser; 
+	private String formID;
 	
 	private File fileUpload = null;
 	private String fileUploadContentType = null;
@@ -59,13 +55,20 @@ implements ServletRequestAware, ServletResponseAware {
 	private InputStream fileInputStream;
 	
 	public String init() {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
-		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 		
 		if (authUser.isAdmin()) {
-							
+			
+			formID = Random.nextRandom();
+			session.setAttribute(Constants.SESSION_FORMID, formID);
+			
 			return Constants.STRUTS_SUCCESS;
 			
 		} else {
@@ -76,16 +79,39 @@ implements ServletRequestAware, ServletResponseAware {
 	}
 	
 	public String importLegacyConfig() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 		
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
 		if (authUser.isAdmin()) {
 		
 			//load legacy config if it is configured
 		
 			if (fileUpload == null) {
 				addActionError(LanguageHelper.getErrorString("errors.importexport.nofile"));
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			}
 			
@@ -97,6 +123,9 @@ implements ServletRequestAware, ServletResponseAware {
 			} catch (org.opensaml.xml.ConfigurationException e1) {
 				log.info("Legacy configuration has an Import Error", e1);
 				addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e1.getMessage()}));
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			}
 			log.debug("OpenSAML successfully initialized");
@@ -108,26 +137,24 @@ implements ServletRequestAware, ServletResponseAware {
 				try {
 					log.warn("WARNING! The legacy import deletes the hole old config");
 			
-					String rootConfigFileDir = new File(ConfigurationProvider.getInstance().getConfigFile()).getParent();	
-					
-					try {
-					  rootConfigFileDir = new File(rootConfigFileDir).toURL().toString();
-					  
-					} catch (MalformedURLException t) {
-						log.warn("RootConfiguration Directory is not found");
-						rootConfigFileDir = "";
-					}
-					
+					String rootConfigFileDir = ConfigurationProvider.getInstance().getConfigRootDir();	
+										
 					moaconfig = BuildFromLegacyConfig.build(fileUpload, rootConfigFileDir, moaidconfig);
 				
 				} catch (ConfigurationException e) {
 					log.info("Legacy configuration has an Import Error", e);
 					addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e.getMessage()}));
 					ConfigurationDBUtils.closeSession();
+					
+					formID = Random.nextRandom();
+					session.setAttribute(Constants.SESSION_FORMID, formID);
 					return Constants.STRUTS_ERROR_VALIDATION;
 					
 				} catch (at.gv.egovernment.moa.id.configuration.exception.ConfigurationException e) {
 					ConfigurationDBUtils.closeSession();
+					
+					formID = Random.nextRandom();
+					session.setAttribute(Constants.SESSION_FORMID, formID);
 					return Constants.STRUTS_ERROR_VALIDATION;
 				}
 				
@@ -155,6 +182,9 @@ implements ServletRequestAware, ServletResponseAware {
 			} catch (MOADatabaseException e) {
 				log.warn("General MOA-ID config can not be stored in Database");
 				addActionError(e.getMessage());
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			}
 			
@@ -174,10 +204,30 @@ implements ServletRequestAware, ServletResponseAware {
 	}
 	
 	public String downloadXMLConfig() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 		
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
 		if (authUser.isAdmin()) {
 						
 			log.info("Write MOA-ID 2.x xml config");
@@ -194,6 +244,9 @@ implements ServletRequestAware, ServletResponseAware {
 				if (moaidconfig == null) {
 					log.info("No MOA-ID 2.x configruation available");
 					addActionError(LanguageHelper.getErrorString("errors.importexport.export.noconfig"));
+					
+					formID = Random.nextRandom();
+					session.setAttribute(Constants.SESSION_FORMID, formID);
 					return Constants.STRUTS_ERROR_VALIDATION;
 				}
 				
@@ -208,11 +261,17 @@ implements ServletRequestAware, ServletResponseAware {
 				log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e);
 				addActionError(LanguageHelper.getErrorString("errors.importexport.export",
 						new Object[]{e.getMessage()}));
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			} catch (IOException e) {
 				log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e);
 				addActionError(LanguageHelper.getErrorString("errors.importexport.export",
 						new Object[]{e.getMessage()}));
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 			}
 			
@@ -230,10 +289,30 @@ implements ServletRequestAware, ServletResponseAware {
 	
 	
 	public String importXMLConfig() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 		
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
 		if (authUser.isAdmin()) {
 			
 			if (fileUpload == null) {
@@ -271,6 +350,9 @@ implements ServletRequestAware, ServletResponseAware {
 				log.warn("MOA-ID XML configuration can not be loaded from File.", e);
 				addActionError(LanguageHelper.getErrorString("errors.importexport.import",
 						new Object[]{e.getMessage()}));
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
 				return Constants.STRUTS_ERROR_VALIDATION;
 				
 			}
@@ -360,4 +442,19 @@ implements ServletRequestAware, ServletResponseAware {
 	public InputStream getFileInputStream() {
 		return fileInputStream;
 	}
+
+	/**
+	 * @return the formID
+	 */
+	public String getFormID() {
+		return formID;
+	}
+
+	/**
+	 * @param formID the formID to set
+	 */
+	public void setFormID(String formID) {
+		this.formID = formID;
+	}
+	
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index 6078caa87..545a84800 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -1,34 +1,77 @@
 package at.gv.egovernment.moa.id.configuration.struts.action;
 
+import java.util.ArrayList;
 import java.util.Date;
+import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.log4j.Logger;
 import org.apache.struts2.interceptor.ServletRequestAware;
 import org.apache.struts2.interceptor.ServletResponseAware;
+import org.joda.time.DateTime;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.security.MetadataCredentialResolver;
+import org.opensaml.security.MetadataCredentialResolverFactory;
+import org.opensaml.security.MetadataCriteria;
+import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.xml.security.CriteriaSet;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.criteria.EntityIDCriteria;
+import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
+import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
+import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
+import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
 
 import com.opensymphony.xwork2.ActionSupport;
 
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
 import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.configuration.Constants;
 import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
 import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom;
 import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
 import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper;
+import at.gv.egovernment.moa.id.configuration.helper.DateTimeHelper;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
-import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator;
+import at.gv.egovernment.moa.id.configuration.helper.MailHelper;
 import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 public class IndexAction extends ActionSupport implements ServletRequestAware,
 	ServletResponseAware {
 	
+	private static final long serialVersionUID = -2781497863862504896L;
+
 	private static final Logger log = Logger.getLogger(IndexAction.class);
 	
 	private HttpServletRequest request;
@@ -36,6 +79,11 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
 	
 	private String password;
 	private String username;
+	private UserDatabaseFrom user = null;
+	private AuthenticatedUser authUser = null;
+	private String formID;
+	
+	private String ssologouturl;
 	
 	public String start() {
 				
@@ -80,12 +128,12 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
 			return Constants.STRUTS_ERROR;
 			
 		} else {
-			if (!dbuser.isIsActive()) {
-				log.warn("Username " + dbuser.getUsername() + " is not active");
+			if (!dbuser.isIsActive() || !dbuser.isIsUsernamePasswordAllowed()) {
+				log.warn("Username " + dbuser.getUsername() + " is not active or Username/Password login is not allowed");
 				addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed"));
 				return Constants.STRUTS_ERROR;
 			}
-			
+						
 			if (!dbuser.getPassword().equals(key)) {
 				log.warn("Username " + dbuser.getUsername() + " use a false password");
 				addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed"));
@@ -96,13 +144,18 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
 					dbuser.getHjid(), 
 					dbuser.getGivenname(), 
 					dbuser.getFamilyname(), 
+					dbuser.getInstitut(),
 					dbuser.getUsername(), 
 					true, 
-					dbuser.isIsAdmin());
+					dbuser.isIsAdmin(),
+					dbuser.isIsMandateUser(),
+					false);
 			
-			authuser.setLastLogin(dbuser.getLastLoginItem());
+			Date date = DateTimeHelper.parseDateTime(dbuser.getLastLogin());
+			if (date != null)
+				authuser.setLastLogin(date);;
 			
-			dbuser.setLastLoginItem(new Date());
+			dbuser.setLastLogin(DateTimeHelper.getDateTime(new Date()));
 			
 			try {
 				ConfigurationDBUtils.saveOrUpdate(dbuser);
@@ -120,13 +173,515 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
 		}
 	}
 	
+	public String pvp2login() {
+		
+		String method = request.getMethod();
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("NO HTTP Session");
+			return Constants.STRUTS_ERROR;
+		}
+		
+		String authID = (String) session.getAttribute(Constants.SESSION_PVP2REQUESTID);
+		session.setAttribute(Constants.SESSION_PVP2REQUESTID, null);
+		
+		if (method.equals("POST")) {
+		
+			try {
+				ConfigurationProvider config = ConfigurationProvider.getInstance();
+				
+				//Decode with HttpPost Binding
+				HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool());
+				BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>();
+				messageContext
+					.setInboundMessageTransport(new HttpServletRequestAdapter(
+							request));
+				decode.decode(messageContext);
+				
+				Response samlResponse = (Response) messageContext.getInboundMessage();
+			
+				Signature sign = samlResponse.getSignature();
+				if (sign == null) {
+					log.info("Only http POST Requests can be used");
+					addActionError(LanguageHelper.getErrorString("error.login"));
+					return Constants.STRUTS_ERROR;
+				}
+				
+				//Validate Signature
+				SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
+				profileValidator.validate(sign);
+				
+				//Verify Signature
+				List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();
+				keyInfoProvider.add(new DSAKeyValueProvider());
+				keyInfoProvider.add(new RSAKeyValueProvider());
+				keyInfoProvider.add(new InlineX509DataProvider());
+
+				KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(
+						keyInfoProvider);
+				
+				MetadataCredentialResolverFactory credentialResolverFactory = MetadataCredentialResolverFactory.getFactory();    
+				MetadataCredentialResolver credentialResolver = credentialResolverFactory.getInstance(config.getMetaDataProvier());  
+				  
+				CriteriaSet criteriaSet = new CriteriaSet();  
+				criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));  
+				criteriaSet.add(new EntityIDCriteria(config.getPVP2IDPMetadataEntityName()));
+				criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
+				  				
+				ExplicitKeySignatureTrustEngine trustEngine = new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoResolver);
+				trustEngine.validate(sign, criteriaSet);
+				
+				log.info("PVP2 Assertion is valid");
+				
+				if (samlResponse.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+			
+					List<org.opensaml.saml2.core.Assertion> saml2assertions = samlResponse.getAssertions();
+										
+					if (MiscUtil.isEmpty(authID)) {
+						log.info("NO AuthRequestID");
+						return Constants.STRUTS_ERROR;
+					}
+					
+					for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+						
+						Subject subject = saml2assertion.getSubject();
+						List<SubjectConfirmation> subjectconformlist = subject.getSubjectConfirmations();
+						for (SubjectConfirmation el : subjectconformlist) {
+							if (el.getMethod().equals(SubjectConfirmation.METHOD_BEARER)) {
+								SubjectConfirmationData date = el.getSubjectConfirmationData();
+								
+								if (!authID.equals(date.getInResponseTo())) {
+									log.warn("PVPRequestID does not match PVP2 Assertion ID!");
+									return Constants.STRUTS_ERROR;
+									
+								}		
+							}
+						}
+												
+						Conditions conditions = saml2assertion.getConditions();
+						DateTime notbefore = conditions.getNotBefore();
+						DateTime notafter = conditions.getNotOnOrAfter();
+						if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
+							log.warn("PVP2 Assertion is out of Date");
+							return Constants.STRUTS_ERROR;
+							
+						}
+						
+						NameID nameID = subject.getNameID();
+						if (nameID == null) {
+							log.warn("No NameID element in PVP2 assertion!");
+							return Constants.STRUTS_ERROR;
+						}
+						
+						String bpkwbpk = nameID.getNameQualifier() + "+" + nameID.getValue();
+						
+						//search user
+						UserDatabase dbuser = ConfigurationDBRead.getUserWithUserBPKWBPK(bpkwbpk);
+						if (dbuser == null) {
+							log.info("No user found with bpk/wbpk " + bpkwbpk);
+							
+							//read PVP2 assertion attributes;
+							user = new UserDatabaseFrom();
+							user.setActive(false);
+							user.setAdmin(false);
+							user.setBpk(bpkwbpk);
+							user.setIsusernamepasswordallowed(false);
+							user.setIsmandateuser(false);
+							user.setPVPGenerated(true);
+							
+							authUser = new AuthenticatedUser();
+							authUser.setAdmin(false);
+							authUser.setAuthenticated(false);
+							authUser.setLastLogin(null);
+							authUser.setUserID(-1);
+							authUser.setUserName(null);
+							authUser.setPVP2Login(true);
+							authUser.setMandateUser(false);
+							
+							//loop through the nodes to get what we want
+							List<AttributeStatement> attributeStatements = saml2assertion.getAttributeStatements();
+							for (int i = 0; i < attributeStatements.size(); i++)
+							{
+								List<Attribute> attributes = attributeStatements.get(i).getAttributes();
+								for (int x = 0; x < attributes.size(); x++)
+								{
+									String strAttributeName = attributes.get(x).getDOM().getAttribute("Name");
+									
+									if (strAttributeName.equals(PVPConstants.PRINCIPAL_NAME_NAME)) {
+										user.setFamilyName(attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent());
+										authUser.setFamilyName(user.getFamilyName());
+									}
+									
+									if (strAttributeName.equals(PVPConstants.GIVEN_NAME_NAME)) {
+										user.setGivenName(attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent());
+										authUser.setGivenName(user.getGivenName());
+									}
+									
+									if (strAttributeName.equals(PVPConstants.MANDATE_TYPE_NAME)) {
+										authUser.setMandateUser(true);
+										user.setIsmandateuser(true);
+									}
+									
+									if (strAttributeName.equals(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)) {
+										user.setInstitut(attributes.get(x).getAttributeValues().get(0).getDOM().getTextContent());
+										authUser.setInstitute(user.getInstitut());
+									}		
+								}
+							}
+							
+							//set Random value
+							formID = Random.nextRandom();
+							session.setAttribute(Constants.SESSION_FORMID, formID);
+							session.setAttribute(Constants.SESSION_FORM, user);
+							session.setAttribute(Constants.SESSION_AUTH, authUser);	
+							
+							ConfigurationDBUtils.closeSession();
+							
+							return Constants.STRUTS_NEWUSER;
+							
+						} else {
+							if (!dbuser.isIsActive()) {
+								
+								if (!dbuser.isIsMailAddressVerified()) {
+									
+									formID = Random.nextRandom();
+									session.setAttribute(Constants.SESSION_FORMID, formID);
+									
+									user = new UserDatabaseFrom(dbuser);
+									authUser = new AuthenticatedUser(
+											dbuser.getHjid(), 
+											dbuser.getGivenname(), 
+											dbuser.getFamilyname(), 
+											dbuser.getInstitut(),
+											dbuser.getUsername(), 
+											false, 
+											false,
+											dbuser.isIsMandateUser(),
+											true);
+									session.setAttribute(Constants.SESSION_FORM, user);
+									session.setAttribute(Constants.SESSION_AUTH, authUser);
+									
+									return Constants.STRUTS_NEWUSER;
+									
+								}
+								
+								log.info("User with bpk/wbpk " + bpkwbpk + " is not active");
+								addActionError(LanguageHelper.getErrorString("webpages.index.username.notactive"));
+								return Constants.STRUTS_ERROR;
+							}
+							
+							authUser = new AuthenticatedUser(
+									dbuser.getHjid(), 
+									dbuser.getGivenname(), 
+									dbuser.getFamilyname(), 
+									dbuser.getInstitut(),
+									dbuser.getUsername(), 
+									true, 
+									dbuser.isIsAdmin(),
+									dbuser.isIsMandateUser(),
+									true);
+							
+							Date date = DateTimeHelper.parseDateTime(dbuser.getLastLogin());
+							if (date != null)
+								authUser.setLastLogin(date);;
+							
+							dbuser.setLastLogin(DateTimeHelper.getDateTime(new Date()));
+							
+							try {
+								ConfigurationDBUtils.saveOrUpdate(dbuser);
+								
+							} catch (MOADatabaseException e) {
+								log.warn("UserDatabase communicaton error", e);
+								addActionError(LanguageHelper.getErrorString("error.login"));
+								return Constants.STRUTS_ERROR;
+							}
+							finally {
+								ConfigurationDBUtils.closeSession();
+							}
+							session.setAttribute(Constants.SESSION_AUTH, authUser);
+							return Constants.STRUTS_SUCCESS;
+							
+						}
+					}
+					
+					log.info("PVP2 Assertion was maybe not well formed, because no Assertion element could be found.");
+					addActionError(LanguageHelper.getErrorString("error.login"));
+					return Constants.STRUTS_ERROR;
+					
+				} else {
+					log.info("Receive Error Assertion.");
+					return Constants.STRUTS_ERROR;
+				}
+				
+			} catch (Exception e) {
+				log.warn("Only http POST Requests can be used", e);
+				addActionError(LanguageHelper.getErrorString("error.login"));
+				return Constants.STRUTS_ERROR;
+			}
+			
+		} else {
+			log.info("Only http POST Requests can be used");
+			addActionError(LanguageHelper.getErrorString("error.login"));
+			return Constants.STRUTS_ERROR;
+		}
+	}
+	
+	public String requestNewUser() {
+		
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.warn("No active Session found");
+			return Constants.STRUTS_ERROR;
+		}
+		
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
+		Object sessionformobj = session.getAttribute(Constants.SESSION_FORM);
+		if (sessionformobj != null && sessionformobj instanceof UserDatabaseFrom) {
+			UserDatabaseFrom sessionform = (UserDatabaseFrom) sessionformobj;
+			
+			Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);		
+			authUser = (AuthenticatedUser) authUserObj;	
+
+			if (user == null) {
+				log.warn("No form transmited");
+				return Constants.STRUTS_ERROR;
+			}
+			
+			//get UserID
+			String useridobj = user.getUserID();
+			long userID = -1;
+			if (MiscUtil.isEmpty(useridobj)) {
+				userID = -1;
+				
+			} else {
+				if (!ValidationHelper.validateOAID(useridobj)){
+					log.warn("User with ID " + authUser.getUserID() 
+							+ " would access UserDatabase ID " + useridobj);
+					addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request));
+					return Constants.STRUTS_ERROR;
+				}	
+				userID = Long.valueOf(useridobj);
+			}
+			
+			String check;
+			if (!sessionform.isIsmandateuser()) {
+				check = user.getInstitut();
+				if (MiscUtil.isNotEmpty(check)) {
+					if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+						log.warn("Organisation contains potentail XSS characters: " + check);
+						addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid", 
+								new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+					}
+				} else {
+					log.warn("Organisation is empty");
+					addActionError(LanguageHelper.getErrorString("validation.edituser.institut.empty"));			
+				}
+			}
+			
+			check = user.getMail();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (!ValidationHelper.isEmailAddressFormat(check)) {
+					log.warn("Mailaddress is not valid: " + check);
+					addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid", 
+							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+				}
+			} else {
+				log.warn("Mailaddress is empty");
+				addActionError(LanguageHelper.getErrorString("validation.edituser.mail.empty"));			
+			}
+			
+			check = user.getPhone();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+					log.warn("Phonenumber contains potentail XSS characters: " + check);
+					addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid", 
+							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+				}
+			} else {
+				log.warn("Phonenumber is empty");
+				addActionError(LanguageHelper.getErrorString("validation.edituser.phone.empty"));			
+			}
+			
+			if (hasActionErrors()) {
+				log.info("Some form errors found. Send user back to form");
+				
+				user.setPVPGenerated(true);
+				user.setFamilyName(sessionform.getFamilyName());
+				user.setGivenName(sessionform.getGivenName());
+				user.setIsmandateuser(sessionform.isIsmandateuser());
+				user.setBpk(sessionform.getBpk());
+				
+				if (sessionform.isIsmandateuser())
+					user.setInstitut(sessionform.getInstitut());
+				
+				formID = Random.nextRandom();
+				session.setAttribute(Constants.SESSION_FORMID, formID);
+
+				return Constants.STRUTS_NEWUSER;
+			}
+
+			UserDatabase dbuser;
+			
+			if (userID < 0) {
+				dbuser = new UserDatabase();
+				dbuser.setBpk(sessionform.getBpk());
+				dbuser.setFamilyname(sessionform.getFamilyName());
+				dbuser.setGivenname(sessionform.getGivenName());
+
+				if (sessionform.isIsmandateuser())
+					dbuser.setInstitut(sessionform.getInstitut());
+				else
+					dbuser.setInstitut(user.getInstitut());
+				
+				dbuser.setIsPVP2Generated(true);
+				dbuser.setLastLogin(DateTimeHelper.getDateTime(new Date()));
+				dbuser.setIsActive(false);
+				dbuser.setIsAdmin(false);
+				dbuser.setIsMandateUser(sessionform.isIsmandateuser());
+				dbuser.setIsUsernamePasswordAllowed(false);
+				
+			} else 
+				dbuser = ConfigurationDBRead.getUserWithID(userID);
+			
+			dbuser.setMail(user.getMail());
+			dbuser.setPhone(user.getPhone());
+			dbuser.setIsAdminRequest(true);
+			dbuser.setIsMailAddressVerified(false);
+			dbuser.setUserRequestTokken(Random.nextRandom());
+						
+			try {
+				ConfigurationDBUtils.saveOrUpdate(dbuser);
+				
+				MailHelper.sendUserMailAddressVerification(dbuser);
+				
+			} catch (MOADatabaseException e) {
+				log.warn("New UserRequest can not be stored in database", e);
+				return Constants.STRUTS_ERROR;
+				
+			} catch (ConfigurationException e) {
+				log.warn("Sending of mailaddress verification mail failed.", e);
+				addActionError(LanguageHelper.getErrorString("error.mail.send"));
+				return Constants.STRUTS_NEWUSER;
+			}
+			
+			finally {
+				session.setAttribute(Constants.SESSION_FORM, null);
+				session.setAttribute(Constants.SESSION_AUTH, null);	
+				ConfigurationDBUtils.closeSession();
+			}
+			
+			addActionMessage(LanguageHelper.getGUIString("webpages.edituser.changemailaddress.verify"));
+			
+			session.invalidate();
+			
+			return Constants.STRUTS_SUCCESS; 
+			
+		} else {
+			log.warn("No SessionForm found");
+			return Constants.STRUTS_ERROR;
+		}
+		
+	}
+	
+	public String mailAddressVerification() {
+		
+		String userrequesttokken = request.getParameter(Constants.REQUEST_USERREQUESTTOKKEN);
+		if (MiscUtil.isNotEmpty(userrequesttokken)) {
+			
+			userrequesttokken = StringEscapeUtils.escapeHtml(userrequesttokken);
+			
+			try {
+				Long.parseLong(userrequesttokken);
+				
+			} catch (NumberFormatException e) {
+				log.warn("Verificationtokken has no number format.");
+				return Constants.STRUTS_ERROR;
+			}
+			
+			UserDatabase dbuser = ConfigurationDBRead.getNewUserWithTokken(userrequesttokken);
+			if (dbuser != null) {
+				dbuser.setUserRequestTokken(null);
+				dbuser.setIsMailAddressVerified(true);
+				
+				if (dbuser.isIsActive())
+					dbuser.setIsAdminRequest(false);
+				
+				try {
+					ConfigurationDBUtils.saveOrUpdate(dbuser);
+					
+					int numoas = 0;
+					int numusers = 0;
+					
+					List<OnlineApplication> openOAs = ConfigurationDBRead.getAllNewOnlineApplications();
+					if (openOAs != null)
+						numoas = openOAs.size();
+					
+					List<UserDatabase> openUsers = ConfigurationDBRead.getAllNewUsers();
+					if (openUsers != null)
+						numusers = openUsers.size();
+					
+					if (numusers > 0 || numoas > 0)
+						MailHelper.sendAdminMail(numoas, numusers);
+					
+				} catch (MOADatabaseException e) {
+					log.warn("Userinformation can not be stored in Database.", e);
+					addActionError(LanguageHelper.getErrorString("error.mail.verification"));
+					
+				} catch (ConfigurationException e) {
+					log.warn("Send mail to admin failed.", e);
+				}
+				
+				finally {
+					ConfigurationDBUtils.closeSession();
+				}
+				
+				addActionMessage(LanguageHelper.getGUIString("validation.newuser.mailaddress"));
+				return Constants.STRUTS_SUCCESS;
+			}
+		}	
+		
+		return Constants.STRUTS_ERROR;
+	}
+	
 	public String logout() {
 		
 		HttpSession session = request.getSession();
+
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
+		authUser = (AuthenticatedUser) authUserObj;
 		
 		if (session != null)
 			session.invalidate();
 		
+		try {
+			ConfigurationProvider config = ConfigurationProvider.getInstance();
+			String ssologout = config.getSSOLogOutURL();
+			
+			if (MiscUtil.isNotEmpty(ssologout) && authUser != null && authUser.isPVP2Login()) {
+				ssologouturl = ssologout + config.getPublicUrlPreFix(request);
+				return Constants.STRUTS_SSOLOGOUT;
+				
+			}
+			
+		} catch (ConfigurationException e) {
+			log.warn("Configuration can not be loaded.", e);
+			
+		}
+		
 		return Constants.STRUTS_SUCCESS;
 	}
 	
@@ -164,7 +719,46 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
 	public void setUsername(String username) {
 		this.username = username;
 	}
-	
-	
 
+	/**
+	 * @return the authUser
+	 */
+	public AuthenticatedUser getAuthUser() {
+		return authUser;
+	}
+
+	/**
+	 * @return the user
+	 */
+	public UserDatabaseFrom getUser() {
+		return user;
+	}
+
+	/**
+	 * @param user the user to set
+	 */
+	public void setUser(UserDatabaseFrom user) {
+		this.user = user;
+	}
+
+	/**
+	 * @return the ssologouturl
+	 */
+	public String getSsologouturl() {
+		return ssologouturl;
+	}
+
+	/**
+	 * @return the formID
+	 */
+	public String getFormID() {
+		return formID;
+	}
+
+	/**
+	 * @param formID the formID to set
+	 */
+	public void setFormID(String formID) {
+		this.formID = formID;
+	}
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java
index f5f265ea6..da3c99714 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java
@@ -5,6 +5,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 import org.apache.struts2.interceptor.ServletRequestAware;
@@ -22,6 +23,7 @@ import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
 import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
 import at.gv.egovernment.moa.id.configuration.data.OAListElement;
 import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.helper.FormDataHelper;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
 import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -48,8 +50,13 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware,
 	
 	
 	public String listAllOnlineAppliactions() {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		
 		authUser = (AuthenticatedUser) authUserObj;
 		
@@ -65,8 +72,16 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware,
 				dbOAs = authUserDB.getOnlineApplication();
 		}
 					
-		addFormOAs(dbOAs);			
-
+		if (dbOAs == null || dbOAs.size() == 0) {
+			addActionError(LanguageHelper.getErrorString("errors.listOAs.noOA"));
+			
+		} else {
+			formOAs = FormDataHelper.addFormOAs(dbOAs);
+		}
+		
+		session.setAttribute(Constants.SESSION_RETURNAREA, 
+				Constants.STRUTS_RETURNAREA_VALUES.main.name());
+		
 		ConfigurationDBUtils.closeSession();
 		
 		return Constants.STRUTS_SUCCESS;
@@ -86,8 +101,13 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware,
 	}
 	
 	public String searchOA() {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		
 		authUser = (AuthenticatedUser) authUserObj;
 		
@@ -125,32 +145,23 @@ public class ListOAsAction extends ActionSupport implements ServletRequestAware,
 			}
 		}
 		
-		addFormOAs(dbOAs);
-		
-		ConfigurationDBUtils.closeSession();
-		
-		return Constants.STRUTS_SUCCESS;	
-	}
-	
-	private void addFormOAs(List<OnlineApplication> dbOAs) {
-		
-		formOAs = new ArrayList<OAListElement>();
 		if (dbOAs == null || dbOAs.size() == 0) {
-			addActionError(LanguageHelper.getErrorString("errors.listOAs.noOA", request));
+			log.debug("No OAs found with Identifier " + friendlyname);
+			addActionError(LanguageHelper.getErrorString("errors.listOAs.noOA"));
 			
 		} else {
-			for (OnlineApplication dboa : dbOAs) {
-				OAListElement listoa = new OAListElement();
-				listoa.setActive(dboa.isIsActive());
-				listoa.setDataBaseID(dboa.getHjid());
-				listoa.setOaFriendlyName(dboa.getFriendlyName());
-				listoa.setOaIdentifier(dboa.getPublicURLPrefix());
-				listoa.setOaType(dboa.getType());
-				formOAs.add(listoa);
-			}
+			
+			formOAs = FormDataHelper.addFormOAs(dbOAs);
+			session.setAttribute(Constants.SESSION_RETURNAREA, 
+					Constants.STRUTS_RETURNAREA_VALUES.main.name());
+			
 		}
-	}
+		
+		ConfigurationDBUtils.closeSession();
 	
+		return Constants.STRUTS_SUCCESS;	
+	}
+		
 	public void setServletResponse(HttpServletResponse arg0) {
 		this.response = arg0;
 	}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java
index aeafe9548..c80d5484d 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/MainAction.java
@@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.configuration.struts.action;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
+import org.apache.log4j.Logger;
 import org.apache.struts2.interceptor.ServletRequestAware;
 import org.apache.struts2.interceptor.ServletResponseAware;
 
@@ -14,6 +16,8 @@ import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
 public class MainAction implements ServletRequestAware,
 	ServletResponseAware {
 	
+	private static final Logger log = Logger.getLogger(MainAction.class);
+	
 	private HttpServletRequest request;
 	private HttpServletResponse response;
 	
@@ -30,8 +34,17 @@ public class MainAction implements ServletRequestAware,
 	
 	public String generateMainFrame() {
 		
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
+		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);		
 		authUser = (AuthenticatedUser) authUserObj;	
+		
+		session.setAttribute(Constants.SESSION_RETURNAREA, null);
+		
 		return Constants.STRUTS_SUCCESS;
 	}
 	
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/OpenAdminRequestsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/OpenAdminRequestsAction.java
new file mode 100644
index 000000000..aa36d768a
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/OpenAdminRequestsAction.java
@@ -0,0 +1,106 @@
+package at.gv.egovernment.moa.id.configuration.struts.action;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.apache.log4j.Logger;
+import org.apache.struts2.interceptor.ServletRequestAware;
+import org.apache.struts2.interceptor.ServletResponseAware;
+
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
+import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
+import at.gv.egovernment.moa.id.configuration.data.OAListElement;
+import at.gv.egovernment.moa.id.configuration.helper.FormDataHelper;
+
+import com.opensymphony.xwork2.ActionSupport;
+
+public class OpenAdminRequestsAction extends ActionSupport 
+		implements ServletRequestAware, ServletResponseAware {
+	
+	private static final Logger log = Logger.getLogger(OpenAdminRequestsAction.class);
+	
+	private static final long serialVersionUID = 1L;
+
+	private HttpServletRequest request;
+	private HttpServletResponse response;
+	
+	private AuthenticatedUser authUser = null; 
+	private List<OAListElement> formOAs = null;
+	private List<AuthenticatedUser> userlist = null;
+	
+
+	public String init() {
+		
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
+		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
+		
+		authUser = (AuthenticatedUser) authUserObj;
+		
+		if (authUser.isAdmin()) {
+			
+			List<OnlineApplication> dbOAs = ConfigurationDBRead.getAllNewOnlineApplications();
+			if (dbOAs != null) {
+				formOAs = FormDataHelper.addFormOAs(dbOAs);
+			}
+			
+			List<UserDatabase> dbUsers = ConfigurationDBRead.getAllNewUsers();
+			if (dbUsers != null){
+				userlist = FormDataHelper.addFormUsers(dbUsers);
+			}
+			
+			session.setAttribute(Constants.SESSION_RETURNAREA, 
+					Constants.STRUTS_RETURNAREA_VALUES.adminRequestsInit.name());
+
+			return Constants.STRUTS_SUCCESS;
+		} else {
+			log.info("Access to OpenAdminRequest area is not allowed for user with ID" + authUser.getUserID());
+			return Constants.STRUTS_NOTALLOWED;
+		}
+		
+	}
+	
+	
+	public void setServletResponse(HttpServletResponse response) {
+		this.response = response;
+	}
+
+	public void setServletRequest(HttpServletRequest request) {
+		this.request = request;
+	}
+
+
+	/**
+	 * @return the authUser
+	 */
+	public AuthenticatedUser getAuthUser() {
+		return authUser;
+	}
+
+
+	/**
+	 * @return the formOAs
+	 */
+	public List<OAListElement> getFormOAs() {
+		return formOAs;
+	}
+
+
+	/**
+	 * @return the userlist
+	 */
+	public List<AuthenticatedUser> getUserlist() {
+		return userlist;
+	}
+		
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java
index 2a9ec038f..6bc90a417 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java
@@ -1,11 +1,12 @@
 package at.gv.egovernment.moa.id.configuration.struts.action;
 
-import java.util.ArrayList;
-import java.util.Date;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 import org.apache.struts2.interceptor.ServletRequestAware;
@@ -18,10 +19,14 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.configuration.Constants;
 import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
 import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
 import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper;
+import at.gv.egovernment.moa.id.configuration.helper.FormDataHelper;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
+import at.gv.egovernment.moa.id.configuration.helper.MailHelper;
 import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator;
 import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper;
+import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 import com.opensymphony.xwork2.ActionSupport;
@@ -43,30 +48,34 @@ public class UserManagementAction extends ActionSupport
 	
 	private String useridobj = null;
 	private static boolean newUser = false;
+	private InputStream stream;
+	private String nextPage;
+	private String formID;
 	
 	public String init() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
-		
+				
 		if (authUser.isAdmin()) {
 			
+			log.info("Show NewserRequests");
+			
 			log.info("Show UserList");
 			
 			List<UserDatabase> dbuserlist = ConfigurationDBRead.getAllUsers();
+						
 			if (dbuserlist != null) {
-				userlist = new ArrayList<AuthenticatedUser>();
-				
-				for (UserDatabase dbuser : dbuserlist) {
-					userlist.add(new AuthenticatedUser(
-							dbuser.getHjid(), 
-							dbuser.getGivenname(), 
-							dbuser.getFamilyname(),
-							dbuser.getUsername(),
-							dbuser.isIsActive(), 
-							dbuser.isIsAdmin()));
-				}
+				userlist = FormDataHelper.addFormUsers(dbuserlist);
 			}
+		
+			session.setAttribute(Constants.SESSION_RETURNAREA,
+					Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name());
 			
 			ConfigurationDBUtils.closeSession();
 			return Constants.STRUTS_SUCCESS;
@@ -79,20 +88,37 @@ public class UserManagementAction extends ActionSupport
 			}
 			user = new UserDatabaseFrom(dbuser);
 			ConfigurationDBUtils.closeSession();
+			
+			session.setAttribute(Constants.SESSION_RETURNAREA,
+					Constants.STRUTS_RETURNAREA_VALUES.main.name());
+			
+			formID = Random.nextRandom();
+			session.setAttribute(Constants.SESSION_FORMID, formID);
+			
 			return Constants.STRUTS_NOTALLOWED;
 		}
 	}
 	
 	public String createuser() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
+		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		
 		authUser = (AuthenticatedUser) authUserObj;
+		nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name();
 		
 		if (authUser.isAdmin()) {
 							
 			user = new UserDatabaseFrom();
 			
 			newUser = true;
+			
+			formID = Random.nextRandom();
+			session.setAttribute(Constants.SESSION_FORMID, formID);
 			return Constants.STRUTS_SUCCESS;
 			
 		} else {
@@ -101,10 +127,27 @@ public class UserManagementAction extends ActionSupport
 	}
 	
 	public String edituser() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 		
+		Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA);	
+		if (nextPageAttr != null && nextPageAttr instanceof String 
+				&& MiscUtil.isNotEmpty((String)nextPageAttr) ) {
+			nextPage = (String) nextPageAttr;
+			
+		} else {
+			nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name();
+		}
+		
+		formID = Random.nextRandom();
+		session.setAttribute(Constants.SESSION_FORMID, formID);
+		
 		if (authUser.isAdmin()) {
 			long userid = -1;
 			
@@ -136,11 +179,31 @@ public class UserManagementAction extends ActionSupport
 		}		
 	}
 	
-	public String saveuser() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+	public String saveuser() {	
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
 
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
 		String useridobj = user.getUserID();
 		long userID = -1;
 		if (MiscUtil.isEmpty(useridobj)) {
@@ -156,9 +219,30 @@ public class UserManagementAction extends ActionSupport
 			userID = Long.valueOf(useridobj);
 		}
 		
+		UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID);
+		
+		if( dbuser == null) {
+			dbuser = new UserDatabase();
+			dbuser.setIsMandateUser(false);
+			dbuser.setIsAdminRequest(false);
+			dbuser.setIsPVP2Generated(false);
+			dbuser.setUserRequestTokken(null);
+			dbuser.setIsMailAddressVerified(false);
+			dbuser.setUsername(user.getUsername());
+		}
+		
 		List<String> errors;
 		UserDatabaseFormValidator validator = new UserDatabaseFormValidator();
-		errors = validator.validate(user, userID);
+		
+		boolean ispvp2 = false;
+		boolean ismandate = false;
+		if (dbuser.isIsPVP2Generated() != null)
+			ispvp2 = dbuser.isIsPVP2Generated();
+		
+		if (dbuser.isIsMandateUser() != null)
+			ismandate = dbuser.isIsMandateUser();
+		
+		errors = validator.validate(user, userID, ispvp2, ismandate);
 
 		if (errors.size() > 0) {
 			log.info("UserDataForm has some erros.");
@@ -169,6 +253,14 @@ public class UserManagementAction extends ActionSupport
 			if (MiscUtil.isEmpty(user.getUsername()))
 				newUser = true;
 			
+			user.setIsmandateuser(ismandate);
+			user.setPVPGenerated(ispvp2);
+			if (dbuser.isIsUsernamePasswordAllowed() != null)
+				user.setIsusernamepasswordallowed(dbuser.isIsUsernamePasswordAllowed());	
+			
+			formID = Random.nextRandom();
+			session.setAttribute(Constants.SESSION_FORMID, formID);
+			
 			return Constants.STRUTS_ERROR_VALIDATION;
 		}
 		
@@ -181,8 +273,49 @@ public class UserManagementAction extends ActionSupport
 			}
 							
 		}
-
-		String error = saveFormToDB();
+				
+		if (!user.getMail().equals(dbuser.getMail()) && !authUser.isAdmin()) {
+			dbuser.setIsMailAddressVerified(false);
+			dbuser.setUserRequestTokken(Random.nextRandom());
+			
+			try {
+				MailHelper.sendUserMailAddressVerification(dbuser);
+				addActionMessage(LanguageHelper.getGUIString("webpages.edituser.changemailaddress.verify"));
+				
+			} catch (ConfigurationException e) {
+				log.warn("Sending of mailaddress verification mail failed.", e);
+				addActionError(LanguageHelper.getErrorString("error.mail.send"));
+			}
+		}
+			
+		Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA);	
+		if (nextPageAttr != null && nextPageAttr instanceof String 
+				&& MiscUtil.isNotEmpty((String)nextPageAttr) ) {
+			nextPage = (String) nextPageAttr;
+			
+			if (nextPage.equals(Constants.STRUTS_RETURNAREA_VALUES.adminRequestsInit.name()) &&
+					user.isActive()) {
+				dbuser.setIsAdminRequest(false);
+				try {	
+					if (dbuser.isIsMandateUser())
+						MailHelper.sendUserAccountActivationMail(dbuser.getGivenname(), dbuser.getFamilyname(),
+								dbuser.getInstitut(), user.getMail());
+					else
+						MailHelper.sendUserAccountActivationMail(dbuser.getGivenname(), dbuser.getFamilyname(),
+								null, user.getMail());
+					
+				} catch (ConfigurationException e) {
+					log.warn("Send UserAccountActivation mail failed", e);
+				}
+			}
+			session.setAttribute(Constants.SESSION_RETURNAREA, null);
+			
+		} else {
+			nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name();
+		}
+		
+		String error = saveFormToDB(dbuser);
+				
 		if (error != null) {
 			log.warn("UserData can not be stored in Database");
 			addActionError(error);
@@ -194,10 +327,30 @@ public class UserManagementAction extends ActionSupport
 	}
 	
 	public String deleteuser() {
-		Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH);
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
 		authUser = (AuthenticatedUser) authUserObj;
-							
+		
+		Object formidobj = session.getAttribute(Constants.SESSION_FORMID);
+		if (formidobj != null && formidobj instanceof String) {
+			String formid = (String) formidobj;
+			if (!formid.equals(formID)) {
+				log.warn("FormIDs does not match. Some suspect Form is received from user "
+						+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+				return Constants.STRUTS_ERROR;
+			}			
+		} else {
+			log.warn("FormIDs does not match. Some suspect Form is received from user "
+					+ authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID());
+			return Constants.STRUTS_ERROR;
+		}
+		session.setAttribute(Constants.SESSION_FORMID, null);
+		
 		String useridobj = user.getUserID();
 		long userID = -1;
 		if (MiscUtil.isEmpty(useridobj)) {
@@ -222,6 +375,16 @@ public class UserManagementAction extends ActionSupport
 			}
 		}
 		
+		Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA);	
+		if (nextPageAttr != null && nextPageAttr instanceof String 
+				&& MiscUtil.isNotEmpty((String)nextPageAttr)  ) {
+			nextPage = (String) nextPageAttr;
+			session.setAttribute(Constants.SESSION_RETURNAREA, null);
+			
+		} else {
+			nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name();
+		}
+		
 		UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID);
 		if (dbuser != null) {
 			dbuser.setOnlineApplication(null);
@@ -230,8 +393,22 @@ public class UserManagementAction extends ActionSupport
 				ConfigurationDBUtils.saveOrUpdate(dbuser);
 				ConfigurationDBUtils.delete(dbuser);
 				
+				if (authUser.isAdmin()) {
+					MailHelper.sendUserAccountRevocationMail(dbuser);
+				}
+				
+				if (dbuser.getHjid() == authUser.getUserID()) {
+					ConfigurationDBUtils.closeSession();
+					return Constants.STRUTS_REAUTHENTICATE;
+				}
+					
 			} catch (MOADatabaseException e) {
-				log.warn("UserData can not be deleted from Database");
+				log.warn("UserData can not be deleted from Database", e);
+				addActionError(e.getMessage());
+				return Constants.STRUTS_SUCCESS;
+				
+			} catch (ConfigurationException e) {
+				log.warn("Information mail sending failed.", e);
 				addActionError(e.getMessage());
 				return Constants.STRUTS_SUCCESS;
 			}
@@ -242,39 +419,93 @@ public class UserManagementAction extends ActionSupport
 		}
 		
 		ConfigurationDBUtils.closeSession();
+			
 		return Constants.STRUTS_SUCCESS;
 	}
 	
-	private String saveFormToDB() {
+	public String sendVerificationMail () {
+		HttpSession session = request.getSession();
+		if (session == null) {
+			log.info("No http Session found.");
+			return Constants.STRUTS_ERROR;
+		}
 		
-		UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(user.getUsername());
+		String 	message = LanguageHelper.getErrorString("error.mail.verification");
 		
-		if( dbuser == null) {
-			dbuser = new UserDatabase();
+		Object authUserObj = session.getAttribute(Constants.SESSION_AUTH);
+		authUser = (AuthenticatedUser) authUserObj;
+		
+		if (authUser != null) {
+			UserDatabase dbuser = ConfigurationDBRead.getUserWithID(authUser.getUserID());
+			
+			if (dbuser != null) {	
+				dbuser.setIsMailAddressVerified(false);
+				dbuser.setUserRequestTokken(Random.nextRandom());
+				
+				try {
+					ConfigurationDBUtils.saveOrUpdate(dbuser);
+
+					MailHelper.sendUserMailAddressVerification(dbuser);
+					
+					message = LanguageHelper.getErrorString("webpages.edituser.verify.mail.message");
+					
+				} catch (ConfigurationException e) {
+					log.warn("Sending of mailaddress verification mail failed.", e);
+					message = LanguageHelper.getErrorString("error.mail.send");
+					
+				} catch (MOADatabaseException e) {
+					log.warn("Access UserInformationDatabase failed.", e);
+				}	
+			} 
 		}
 		
-		dbuser.setBpk(user.getBpk());
-		dbuser.setFamilyname(user.getFamilyName());
-		dbuser.setGivenname(user.getGivenName());
-		dbuser.setInstitut(user.getInstitut());
+		stream = new ByteArrayInputStream(message.getBytes());
+		
+		return SUCCESS;
+	}
+	
+	private String saveFormToDB(UserDatabase dbuser) {
+				
 		dbuser.setMail(user.getMail());
 		dbuser.setPhone(user.getPhone());
-		dbuser.setUsername(user.getUsername());
 		
-		if (authUser.isAdmin()) {
-			dbuser.setIsActive(user.isActive());
-			dbuser.setIsAdmin(user.isAdmin());
+		if (authUser.isAdmin() || dbuser.isIsUsernamePasswordAllowed()) {
+			dbuser.setIsUsernamePasswordAllowed(user.isIsusernamepasswordallowed());
+			
+			if (authUser.isAdmin()) {
+				dbuser.setIsActive(user.isActive());
+				dbuser.setIsAdmin(user.isAdmin());
+			
+			}
 		}
 		
-		if (MiscUtil.isNotEmpty(user.getPassword())) {
-			String key = AuthenticationHelper.generateKeyFormPassword(user.getPassword());
-			if (key == null) {
-				return LanguageHelper.getErrorString("errors.edit.user.save");
+		if (dbuser.isIsPVP2Generated() == null || !dbuser.isIsPVP2Generated()) {
+			dbuser.setFamilyname(user.getFamilyName());
+			dbuser.setGivenname(user.getGivenName());
+			dbuser.setInstitut(user.getInstitut());
+			
+			if (authUser.isAdmin())
+				dbuser.setBpk(user.getBpk());
+			
+		} else {
+			if (!dbuser.isIsMandateUser())
+				dbuser.setInstitut(user.getInstitut());
+		}
+		
+		if (dbuser.isIsUsernamePasswordAllowed()) {
+			
+			if (MiscUtil.isNotEmpty(user.getUsername()) && MiscUtil.isEmpty(dbuser.getUsername()))
+				dbuser.setUsername(user.getUsername());
+			
+			if (MiscUtil.isNotEmpty(user.getPassword())) {
+				String key = AuthenticationHelper.generateKeyFormPassword(user.getPassword());
+				if (key == null) {
+					return LanguageHelper.getErrorString("errors.edit.user.save");
+				}
+				dbuser.setPassword(key);			
 			}
-			dbuser.setPassword(key);			
 		}
 
-		
 		try {
 			ConfigurationDBUtils.saveOrUpdate(dbuser);
 		} catch (MOADatabaseException e) {
@@ -284,27 +515,7 @@ public class UserManagementAction extends ActionSupport
 		
 		return null;
 	}
-	
-//	public String createTestUser() throws MOADatabaseException {
-//		
-//		UserDatabase user = new UserDatabase();
-//		user.setBpk("");
-//		user.setFamilyname("Max");
-//		user.setGivenname("Mustermann");
-//		user.setIsActive(true);
-//		user.setIsAdmin(false);
-//		user.setInstitut("EGIZ");
-//		user.setLastLoginItem(new Date());
-//		user.setMail("masdf@amfasdf.com");
-//		user.setPhone("00660011542");
-//		user.setUsername("testuser");
-//		
-//		ConfigurationDBUtils.save(user);
-//		
-//		return Constants.STRUTS_SUCCESS;
-//	}
-	
-	
+		
 	public void setServletResponse(HttpServletResponse response) {
 		this.response = response;
 		
@@ -370,7 +581,33 @@ public class UserManagementAction extends ActionSupport
 	public boolean isNewUser() {
 		return newUser;
 	}
-	
-	
+
+	/**
+	 * @return the nextPage
+	 */
+	public String getNextPage() {
+		return nextPage;
+	}
+
+	/**
+	 * @return the stream
+	 */
+	public InputStream getStream() {
+		return stream;
+	}
+
+	/**
+	 * @return the formID
+	 */
+	public String getFormID() {
+		return formID;
+	}
+
+	/**
+	 * @param formID the formID to set
+	 */
+	public void setFormID(String formID) {
+		this.formID = formID;
+	}
 	
 }
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java
new file mode 100644
index 000000000..ede8c09a8
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/SAML2Utils.java
@@ -0,0 +1,82 @@
+package at.gv.egovernment.moa.id.configuration.utils;
+
+import java.io.IOException;
+import java.util.Iterator;
+import java.util.Map;
+
+import javax.xml.namespace.QName;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+
+import org.opensaml.Configuration;
+import org.opensaml.DefaultBootstrap;
+import org.opensaml.xml.ConfigurationException;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.XMLObjectBuilder;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+
+public class SAML2Utils {
+
+	static {
+		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		factory.setNamespaceAware(true);
+		factory.setValidating(false);
+		try {
+			builder = factory.newDocumentBuilder();
+		} catch (ParserConfigurationException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	private static DocumentBuilder builder;
+
+	public static <T> T createSAMLObject(final Class<T> clazz) {
+		try {
+
+			XMLObjectBuilderFactory builderFactory = Configuration
+					.getBuilderFactory();
+
+			QName defaultElementName = (QName) clazz.getDeclaredField(
+					"DEFAULT_ELEMENT_NAME").get(null);
+			Map<QName, XMLObjectBuilder> builder = builderFactory.getBuilders();
+			Iterator<QName> it = builder.keySet().iterator();
+
+			while (it.hasNext()) {
+				QName qname = it.next();
+				if (qname.equals(defaultElementName)) {
+					System.out.printf("Builder for: %s\n", qname.toString());
+				}
+			}
+			XMLObjectBuilder xmlBuilder = builderFactory
+					.getBuilder(defaultElementName);
+			
+			T object = (T) xmlBuilder.buildObject(defaultElementName);
+			return object;
+		} catch (Throwable e) {
+			System.out.printf("Failed to create object for: %s\n",
+					clazz.toString());
+			e.printStackTrace();
+			return null;
+		}
+	}
+
+	public static org.w3c.dom.Document asDOMDocument(XMLObject object) throws IOException,
+			MarshallingException, TransformerException {
+		org.w3c.dom.Document document = builder.newDocument();
+		Marshaller out = Configuration.getMarshallerFactory().getMarshaller(
+				object);
+		out.marshall(object, document);
+		return document;
+	}
+	
+
+	
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java
new file mode 100644
index 000000000..96e99e8c7
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/utils/UserRequestCleaner.java
@@ -0,0 +1,71 @@
+package at.gv.egovernment.moa.id.configuration.utils;
+
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+
+import org.apache.log4j.Logger;
+
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
+import at.gv.egovernment.moa.id.configuration.helper.DateTimeHelper;
+
+
+public class UserRequestCleaner implements Runnable {
+
+	private static final Logger log = Logger.getLogger(UserRequestCleaner.class);
+	
+	private static final long SESSION_CLEANUP_INTERVAL = 60 * 60; // 60 min
+		
+	public void run() {
+		 while (true) {
+			 try {
+				ConfigurationProvider config = ConfigurationProvider.getInstance();
+				
+				List<UserDatabase> userrequests = ConfigurationDBRead.getAllOpenUsersRequests();
+				if (userrequests != null) {
+					Calendar cal = Calendar.getInstance();
+					cal.add(Calendar.HOUR, config.getUserRequestCleanUpDelay()*-1);
+					Date cleanupdate = cal.getTime();
+					
+					for(UserDatabase dbuser : userrequests) {
+						Date requestdate = DateTimeHelper.parseDateTime(dbuser.getLastLogin());
+
+						if (requestdate != null && requestdate.after(cleanupdate)) {
+							log.info("Remove UserRequest from Database");
+							ConfigurationDBUtils.delete(dbuser);
+						}
+					
+					}					
+				}
+
+				Thread.sleep(SESSION_CLEANUP_INTERVAL * 1000);
+				
+			} catch (ConfigurationException e) {
+				log.info("UserRequestCleaner can not load configuration", e);
+				
+			} catch (InterruptedException e) {
+				
+			} finally {
+				ConfigurationDBUtils.closeSession();
+				
+			}
+		 }
+	}
+	
+	  /**
+	   * start the sessionCleaner
+	   */
+	  public static void start() {
+	    // start the session cleanup thread
+	    Thread sessionCleaner = new Thread(new UserRequestCleaner());
+	    sessionCleaner.setName("UserRequestCleaner");
+	    sessionCleaner.setDaemon(true);
+	    sessionCleaner.setPriority(Thread.MIN_PRIORITY);
+	    sessionCleaner.start();
+	  }
+	
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/CompanyNumberValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/CompanyNumberValidator.java
index 820aa7c57..466867367 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/CompanyNumberValidator.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/CompanyNumberValidator.java
@@ -2,17 +2,17 @@ package at.gv.egovernment.moa.id.configuration.validation;
 
 import org.apache.commons.lang.StringUtils;
 
+import at.gv.egovernment.moa.id.configuration.Constants;
+
 public class CompanyNumberValidator implements IdentificationNumberValidator {
 
 	public boolean validate(String commercialRegisterNumber) {
 		
 		String normalizedNumber = commercialRegisterNumber.replaceAll(" ", "");
-		if(normalizedNumber.startsWith("FN")) {
+		if(normalizedNumber.startsWith(Constants.IDENIFICATIONTYPE_FN))
 			normalizedNumber = normalizedNumber.substring(2);
-			return checkCommercialRegisterNumber(normalizedNumber);
-			
-		} else 
-			return true;
+		
+		return checkCommercialRegisterNumber(normalizedNumber);
 	}
 
 	private boolean checkCommercialRegisterNumber(String commercialRegisterNumber) {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/TargetValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/TargetValidator.java
new file mode 100644
index 000000000..65e8a549e
--- /dev/null
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/TargetValidator.java
@@ -0,0 +1,84 @@
+package at.gv.egovernment.moa.id.configuration.validation;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import at.gv.egovernment.moa.util.MiscUtil;
+
+
+public class TargetValidator {
+
+	private static Map<String, String> targetList = null;
+	
+	static {
+		targetList = new HashMap<String, String>();
+		targetList.put("AR", "Arbeit");
+		targetList.put("AS", "Amtliche Statistik");
+		targetList.put("BF", "Bildung und Forschung");
+		targetList.put("BW", "Bauen und Wohnen");
+		targetList.put("EA", "EU und Auswärtige Angelegenheiten");
+		targetList.put("EF", "Ein- und Ausfuhr");
+		targetList.put("GH", "Gesundheit");
+		targetList.put("GS", "Gesellschaft und Soziales");
+		targetList.put("GS-RE", "Restitution");
+		targetList.put("JR", "Justiz/Zivilrechtswesen");
+		targetList.put("KL", "Kultus");
+		targetList.put("KU", "Kunst und Kultur");
+		targetList.put("LF", "Land- und Forstwirtschaft");
+		targetList.put("LV", "Landesverteidigung");
+		targetList.put("RT", "Rundfunk und sonstige Medien sowie Telekommunikation");
+		targetList.put("SA", "Steuern und Abgaben");
+		targetList.put("SA", "Sport und Freizeit");
+		targetList.put("SO", "Sicherheit und Ordnung");
+		targetList.put("SO-VR", "Vereinsregister");
+		targetList.put("SR-RG", "Strafregister");
+		targetList.put("SV", "Sozialversicherung");
+		targetList.put("UW", "Umwelt");
+		targetList.put("VT", "Verkehr und Technik");
+		targetList.put("VV", "Vermögensverwaltung");
+		targetList.put("WT", "Wirtschaft");
+		targetList.put("ZP", "Personenidentität und Bürgerrechte(zur Person)");
+		targetList.put("BR", "Bereichsübergreifender Rechtsschutz");
+		targetList.put("HR", "Zentrales Rechnungswesen");
+		targetList.put("KI", "Auftraggeberinterne allgemeine Kanzleiindizes");
+		targetList.put("OI", "Öffentlichkeitsarbeit");
+		targetList.put("PV", "Personalverwaltung");
+		targetList.put("RD", "Zentraler Rechtsdienst");
+		targetList.put("VS", "Zentrale Durchführung von Verwaltungsstrafverfahren");
+		targetList.put("VS-RG", "Zentrales Verwaltungsstrafregister");
+		targetList.put("ZU", "Zustellungen");
+	}
+	
+	public static List<String> getListOfTargets() {
+		Map<String, String> list = new HashMap<String, String>();
+		list.put("", "");
+		list.putAll(targetList);
+		
+		List<String> sortedList = new ArrayList<String>();
+		sortedList.addAll(list.keySet());
+		Collections.sort(sortedList);
+		
+		return sortedList;
+	
+	}
+	
+	public static String getTargetFriendlyName(String target) {
+		String name = targetList.get(target);
+		
+		if (MiscUtil.isNotEmpty(name))
+			return name;
+		else
+			return null;
+	}
+	
+	public static boolean isValidTarget(String target) {
+		return targetList.containsKey(target);
+	}
+	
+	
+}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java
index 276b0b4c8..88e1e6cf5 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java
@@ -16,44 +16,50 @@ public class UserDatabaseFormValidator {
 
 	private static final Logger log = Logger.getLogger(UserDatabaseFormValidator.class);
 	
-	public List<String> validate(UserDatabaseFrom form, long userID) {
+	public List<String> validate(UserDatabaseFrom form, long userID, boolean isPVP2Generated, boolean isMandateUser) {
 		List<String> errors = new ArrayList<String>();
-				
-		String check = form.getGivenName();
-		if (MiscUtil.isNotEmpty(check)) {
-			if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
-				log.warn("GivenName contains potentail XSS characters: " + check);
-				errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.valid", 
-						new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
-			}
-		} else {
-			log.warn("GivenName is empty");
-			errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.empty"));			
-		}
 		
+		String check = null;
 		
-		check = form.getFamilyName();
-		if (MiscUtil.isNotEmpty(check)) {
-			if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
-				log.warn("FamilyName contains potentail XSS characters: " + check);
-				errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.valid", 
-						new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+		if (!isPVP2Generated) { 
+			check = form.getGivenName();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+					log.warn("GivenName contains potentail XSS characters: " + check);
+					errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.valid", 
+							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+				}
+			} else {
+				log.warn("GivenName is empty");
+				errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.empty"));			
+			}
+			
+			
+			check = form.getFamilyName();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+					log.warn("FamilyName contains potentail XSS characters: " + check);
+					errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.valid", 
+							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+				}
+			} else {
+				log.warn("FamilyName is empty");
+				errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.empty"));			
 			}
-		} else {
-			log.warn("FamilyName is empty");
-			errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.empty"));			
 		}
-
-		check = form.getInstitut();
-		if (MiscUtil.isNotEmpty(check)) {
-			if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
-				log.warn("Organisation contains potentail XSS characters: " + check);
-				errors.add(LanguageHelper.getErrorString("validation.edituser.institut.valid", 
-						new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+		
+		if (!isMandateUser) {
+			check = form.getInstitut();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+					log.warn("Organisation contains potentail XSS characters: " + check);
+					errors.add(LanguageHelper.getErrorString("validation.edituser.institut.valid", 
+							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+				}
+			} else {
+				log.warn("Organisation is empty");
+				errors.add(LanguageHelper.getErrorString("validation.edituser.institut.empty"));			
 			}
-		} else {
-			log.warn("Organisation is empty");
-			errors.add(LanguageHelper.getErrorString("validation.edituser.institut.empty"));			
 		}
 		
 		check = form.getMail();
@@ -80,67 +86,67 @@ public class UserDatabaseFormValidator {
 			errors.add(LanguageHelper.getErrorString("validation.edituser.phone.empty"));			
 		}
 		
-		check = form.getUsername();
-		if (MiscUtil.isNotEmpty(check)) {
-			if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
-				log.warn("Username contains potentail XSS characters: " + check);
-				errors.add(LanguageHelper.getErrorString("validation.edituser.username.valid", 
-						new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
-				
-			} else {
-				UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(check);
-				if (dbuser != null && userID != dbuser.getHjid()) {
-					log.warn("Username " + check + " exists in UserDatabase");
-					errors.add(LanguageHelper.getErrorString("validation.edituser.username.duplicate"));
-					form.setUsername("");
-				}	
-			}
-		} else {
-			if (userID == -1) {
-				log.warn("Username is empty");
-				errors.add(LanguageHelper.getErrorString("validation.edituser.username.empty"));
+		if (form.isIsusernamepasswordallowed()) {
+			check = form.getUsername();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+					log.warn("Username contains potentail XSS characters: " + check);
+					errors.add(LanguageHelper.getErrorString("validation.edituser.username.valid", 
+							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+					
+				} else {
+					UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(check);
+					if (dbuser != null && userID != dbuser.getHjid()) {
+						log.warn("Username " + check + " exists in UserDatabase");
+						errors.add(LanguageHelper.getErrorString("validation.edituser.username.duplicate"));
+						form.setUsername("");
+					}	
+				}
 			} else {
-				UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID);
-				if (dbuser == null) {
+				if (userID == -1) {
 					log.warn("Username is empty");
 					errors.add(LanguageHelper.getErrorString("validation.edituser.username.empty"));
 				} else {
-					form.setUsername(dbuser.getUsername());
+					UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID);
+					if (dbuser == null) {
+						log.warn("Username is empty");
+						errors.add(LanguageHelper.getErrorString("validation.edituser.username.empty"));
+					} else {
+						form.setUsername(dbuser.getUsername());
+					}
 				}
 			}
-		}
-		
-		check = form.getPassword();
 			
-		if (MiscUtil.isEmpty(check)) {
-			if (userID == -1) {
-				log.warn("Password is empty");
-				errors.add(LanguageHelper.getErrorString("validation.edituser.password.empty"));
-			} else {
-				UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID);
-				if (dbuser == null || MiscUtil.isEmpty(dbuser.getPassword())) {
+			check = form.getPassword();
+				
+			if (MiscUtil.isEmpty(check)) {
+				if (userID == -1) {
 					log.warn("Password is empty");
 					errors.add(LanguageHelper.getErrorString("validation.edituser.password.empty"));
-				}
-			}
-			
-		} else {
-			
-			if (check.equals(form.getPassword_second())) {
-			
-				String key = AuthenticationHelper.generateKeyFormPassword(check);
-				if (key == null) {
-					errors.add(LanguageHelper.getErrorString("validation.edituser.password.valid"));
+				} else {
+					UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID);
+					if (dbuser == null || MiscUtil.isEmpty(dbuser.getPassword())) {
+						log.warn("Password is empty");
+						errors.add(LanguageHelper.getErrorString("validation.edituser.password.empty"));
+					}
 				}
 				
-			}
-			else {
-				errors.add(LanguageHelper.getErrorString("validation.edituser.password.equal"));
+			} else {
+				
+				if (check.equals(form.getPassword_second())) {
+				
+					String key = AuthenticationHelper.generateKeyFormPassword(check);
+					if (key == null) {
+						errors.add(LanguageHelper.getErrorString("validation.edituser.password.valid"));
+					}
+					
+				}
+				else {
+					errors.add(LanguageHelper.getErrorString("validation.edituser.password.equal"));
+				}
 			}
 		}
-		
-		
-		
+				
 		check = form.getBpk();
 		if (MiscUtil.isNotEmpty(check)) {
 			if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/ValidationHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/ValidationHelper.java
index aeac75e44..eadf15f84 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/ValidationHelper.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/ValidationHelper.java
@@ -1,18 +1,122 @@
 package at.gv.egovernment.moa.id.configuration.validation;
 
+import iaik.asn1.ObjectID;
+import iaik.utils.Util;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
+
+import java.io.IOException;
 import java.net.MalformedURLException;
+import java.net.Socket;
 import java.net.URL;
+import java.net.UnknownHostException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
 import org.apache.log4j.Logger;
 
+import at.gv.egovernment.moa.id.util.SSLUtils;
+import at.gv.egovernment.moa.util.Constants;
+
 public class ValidationHelper {
 
 	private static final Logger log = Logger.getLogger(ValidationHelper.class);
 	
+	public static boolean isPublicServiceAllowed(String identifier) {
+		
+		SSLSocket socket = null;
+		
+		try {
+			URL url = new URL(identifier);
+			String host = url.getHost();
+			
+			if (host.endsWith("/"))
+				host = host.substring(0, host.length()-1);
+			
+			if (url.getHost().endsWith(at.gv.egovernment.moa.id.configuration.Constants.PUBLICSERVICE_URL_POSTFIX)) {
+				log.debug("PublicURLPrefix with .gv.at Domain found.");
+				return true;
+				
+			} else {
+				SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();			
+				socket = (SSLSocket) factory.createSocket(url.getHost(), url.getPort());
+				socket.startHandshake();
+				
+				SSLSession session = socket.getSession();
+				Certificate[] servercerts = session.getPeerCertificates();
+				X509Certificate[] iaikChain = new X509Certificate[servercerts.length];
+				for (int i=0; i<servercerts.length; i++) {
+					iaikChain[i] = new X509Certificate(servercerts[i].getEncoded());
+				}
+				
+				
+				X509Certificate cert = Util.arrangeCertificateChain(iaikChain, false)[0];
+				
+				if (cert != null) {
+					ObjectID vwOID = new ObjectID("1.2.40.0.10.1.1.1"); // Verwaltungseigenschaft
+					ObjectID dOID = new ObjectID("1.2.40.0.10.1.1.2"); // Dienstleistereigenschaft
+					
+					
+					if ((cert.getExtension(vwOID) == null) && (cert.getExtension(dOID) == null)) {
+						return false;
+						
+					} else {
+						log.info("Found correct X509 Extension in server certificate. PublicService is allowed");
+						return true;
+					}		
+				}
+				
+				return false;
+			}
+				
+		} catch (MalformedURLException e) {
+			log.warn("PublicURLPrefix can not parsed to URL", e);
+			return false;
+			
+		} catch (UnknownHostException e) {
+			log.warn("Can not connect to PublicURLPrefix Server", e);
+			return false;
+			
+		} catch (IOException e) {
+			log.warn("Can not connect to PublicURLPrefix Server", e);
+			return false;
+			
+		} catch (CertificateEncodingException e) {
+			log.warn("Can not parse X509 server certificate", e);
+			return false;
+			
+		} catch (CertificateException e) {
+			log.warn("Can not read X509 server certificate", e);
+			return false;
+			
+		} catch (X509ExtensionInitException e) {
+			log.warn("Can not read X509 server certificate extension", e);
+			return false;
+		}
+		
+		finally {
+			if (socket != null)
+				try {
+					socket.close();
+				} catch (IOException e) {
+					log.warn("SSL Socket can not be closed.", e);
+				}
+		}
+	}
+	
 	public static boolean validateOAID(String oaIDObj) {
 		if (oaIDObj != null) {
 			try {
@@ -62,7 +166,7 @@ public class ValidationHelper {
 		return false;
 	}
 	
-	public static boolean isValidTarget(String target) {
+	public static boolean isValidAdminTarget(String target) {
 		   
 	   log.debug("Ueberpruefe Parameter Target");
 	            
@@ -76,10 +180,24 @@ public class ValidationHelper {
        else {
     	   log.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)");
     	  return false;  
-       }
-	            
+       }           
 	}
 	
+	public static boolean isValidTarget(String target) {
+		   
+		   log.debug("Ueberpruefe Parameter Target");
+		            
+	       if (TargetValidator.isValidTarget(target)) {
+	    	   log.debug("Parameter Target erfolgreich ueberprueft");
+	    	  return true;
+	       }
+	       else {
+	    	   log.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)");
+	    	  return false;  
+	       }
+		            
+		}
+	
 	public static boolean isValidSourceID(String sourceID) {
 		   
 	   log.debug("Ueberpruefe Parameter sourceID");
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java
index f51095cac..5fc5189d9 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java
@@ -292,7 +292,7 @@ public class MOAConfigValidator {
 			errors.add(LanguageHelper.getErrorString("validation.general.sso.target.empty"));
 			
 		} else {
-			if (!ValidationHelper.isValidTarget(check)) {
+			if (!ValidationHelper.isValidAdminTarget(check)) {
 				log.info("Not valid SSO Target");
 				errors.add(LanguageHelper.getErrorString("validation.general.sso.target.valid"));
 			}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAGeneralConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAGeneralConfigValidation.java
index fa992674e..99371a0e7 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAGeneralConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAGeneralConfigValidation.java
@@ -7,7 +7,10 @@ import java.util.Map;
 import org.apache.log4j.Logger;
 
 import at.gv.egovernment.moa.id.commons.db.dao.config.MOAKeyBoxSelector;
+import at.gv.egovernment.moa.id.configuration.Constants;
+import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
 import at.gv.egovernment.moa.id.configuration.data.oa.OAGeneralConfig;
+import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
 import at.gv.egovernment.moa.id.configuration.validation.CompanyNumberValidator;
 import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper;
@@ -20,51 +23,56 @@ public class OAGeneralConfigValidation {
 	public List<String> validate(OAGeneralConfig form, boolean isAdmin) {
 		
 		List<String> errors = new ArrayList<String>();
+		String check;
 		
-		//validate aditionalAuthBlockText
-		String check = form.getAditionalAuthBlockText();
-		if (MiscUtil.isNotEmpty(check)) {
-			if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
-				log.warn("AditionalAuthBlockText contains potentail XSS characters: " + check);
-				errors.add(LanguageHelper.getErrorString("validation.general.aditionalauthblocktext", 
-						new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+		if (isAdmin) {
+			//validate aditionalAuthBlockText
+			check = form.getAditionalAuthBlockText();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+					log.warn("AditionalAuthBlockText contains potentail XSS characters: " + check);
+					errors.add(LanguageHelper.getErrorString("validation.general.aditionalauthblocktext", 
+							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+				}
 			}
 		}
 		
 		//Check BKU URLs
-		check =form.getBkuHandyURL();
-		if (MiscUtil.isEmpty(check)) {
-			log.info("Empty Handy-BKU URL");
-			errors.add(LanguageHelper.getErrorString("validation.general.bku.handy.empty"));
-			
-		} else {
-			if (!ValidationHelper.validateURL(check)) {
-				log.info("Not valid Handy-BKU URL");
-				errors.add(LanguageHelper.getErrorString("validation.general.bku.handy.valid"));
+		if (isAdmin) {
+			check =form.getBkuHandyURL();
+			if (MiscUtil.isEmpty(check)) {
+				log.info("Empty Handy-BKU URL");
+				errors.add(LanguageHelper.getErrorString("validation.general.bku.handy.empty"));
+				
+			} else {
+				if (!ValidationHelper.validateURL(check)) {
+					log.info("Not valid Handy-BKU URL");
+					errors.add(LanguageHelper.getErrorString("validation.general.bku.handy.valid"));
+				}
 			}
-		}
-		
-		check =form.getBkuLocalURL();
-		if (MiscUtil.isEmpty(check)) {
-			log.info("Empty Local-BKU URL");
-			errors.add(LanguageHelper.getErrorString("validation.general.bku.local.empty"));
 			
-		} else {
-			if (!ValidationHelper.validateURL(check)) {
-				log.info("Not valid Online-BKU URL");
-				errors.add(LanguageHelper.getErrorString("validation.general.bku.local.valid"));
+			check =form.getBkuLocalURL();
+			if (MiscUtil.isEmpty(check)) {
+				log.info("Empty Local-BKU URL");
+				errors.add(LanguageHelper.getErrorString("validation.general.bku.local.empty"));
+				
+			} else {
+				if (!ValidationHelper.validateURL(check)) {
+					log.info("Not valid Online-BKU URL");
+					errors.add(LanguageHelper.getErrorString("validation.general.bku.local.valid"));
+				}
 			}
-		}
-		
-		check =form.getBkuOnlineURL();
-		if (MiscUtil.isEmpty(check)) {
-			log.info("Empty Online-BKU URL");
-			errors.add(LanguageHelper.getErrorString("validation.general.bku.online.empty"));
 			
-		} else {
-			if (!ValidationHelper.validateURL(check)) {
-				log.info("Not valid Online-BKU URL");
-				errors.add(LanguageHelper.getErrorString("validation.general.bku.online.valid"));
+			check =form.getBkuOnlineURL();
+			if (MiscUtil.isEmpty(check)) {
+				log.info("Empty Online-BKU URL");
+				errors.add(LanguageHelper.getErrorString("validation.general.bku.online.empty"));
+				
+			} else {
+				if (!ValidationHelper.validateURL(check)) {
+					log.info("Not valid Online-BKU URL");
+					errors.add(LanguageHelper.getErrorString("validation.general.bku.online.valid"));
+				}
 			}
 		}
 		
@@ -78,47 +86,49 @@ public class OAGeneralConfigValidation {
 			}
 		}
 		
-		//check KeyBoxIdentifier
-		check = form.getKeyBoxIdentifier();
-		if (MiscUtil.isEmpty(check)) {
-			log.info("Empty KeyBoxIdentifier");
-			errors.add(LanguageHelper.getErrorString("validation.general.keyboxidentifier.empty"));
-		} else {
-			Map<String, String> list = form.getKeyBoxIdentifierList();
-			if (!list.containsKey(check)) {
-				log.info("Not valid KeyBoxIdentifier " + check);
-				errors.add(LanguageHelper.getErrorString("validation.general.keyboxidentifier.valid"));
-			}
-		}
-		
-		//check LegacyMode SLTemplates
-		if (form.isLegacy()) {
-			if (MiscUtil.isEmpty(form.getSLTemplateURL1()) &&
-				MiscUtil.isEmpty(form.getSLTemplateURL2()) &&
-				MiscUtil.isEmpty(form.getSLTemplateURL3()) ) {
-					log.info("Empty OA-specific SecurityLayer Templates");
-					errors.add(LanguageHelper.getErrorString("validation.general.sltemplates.empty"));
-					
+		if (isAdmin) {
+			//check KeyBoxIdentifier
+			check = form.getKeyBoxIdentifier();
+			if (MiscUtil.isEmpty(check)) {
+				log.info("Empty KeyBoxIdentifier");
+				errors.add(LanguageHelper.getErrorString("validation.general.keyboxidentifier.empty"));
 			} else {
-				check = form.getSLTemplateURL1();
-				if (MiscUtil.isNotEmpty(check) &&
-					!ValidationHelper.validateURL(check)	) {
-						log.info("First OA-specific SecurityLayer Templates is not valid");
-						errors.add(LanguageHelper.getErrorString("validation.general.sltemplate1.valid"));
-				}
-				check = form.getSLTemplateURL2();
-				if (MiscUtil.isNotEmpty(check) &&
-					!ValidationHelper.validateURL(check)	) {
-						log.info("Second OA-specific SecurityLayer Templates is not valid");
-						errors.add(LanguageHelper.getErrorString("validation.general.sltemplate2.valid"));
-				}
-				check = form.getSLTemplateURL3();
-				if (MiscUtil.isNotEmpty(check) &&
-					!ValidationHelper.validateURL(check)	) {
-						log.info("Third OA-specific SecurityLayer Templates is not valid");
-						errors.add(LanguageHelper.getErrorString("validation.general.sltemplate3.valid"));
+				Map<String, String> list = form.getKeyBoxIdentifierList();
+				if (!list.containsKey(check)) {
+					log.info("Not valid KeyBoxIdentifier " + check);
+					errors.add(LanguageHelper.getErrorString("validation.general.keyboxidentifier.valid"));
 				}
-			}	
+			}
+			
+			//check LegacyMode SLTemplates
+			if (form.isLegacy()) {
+				if (MiscUtil.isEmpty(form.getSLTemplateURL1()) &&
+					MiscUtil.isEmpty(form.getSLTemplateURL2()) &&
+					MiscUtil.isEmpty(form.getSLTemplateURL3()) ) {
+						log.info("Empty OA-specific SecurityLayer Templates");
+						errors.add(LanguageHelper.getErrorString("validation.general.sltemplates.empty"));
+						
+				} else {
+					check = form.getSLTemplateURL1();
+					if (MiscUtil.isNotEmpty(check) &&
+						!ValidationHelper.validateURL(check)	) {
+							log.info("First OA-specific SecurityLayer Templates is not valid");
+							errors.add(LanguageHelper.getErrorString("validation.general.sltemplate1.valid"));
+					}
+					check = form.getSLTemplateURL2();
+					if (MiscUtil.isNotEmpty(check) &&
+						!ValidationHelper.validateURL(check)	) {
+							log.info("Second OA-specific SecurityLayer Templates is not valid");
+							errors.add(LanguageHelper.getErrorString("validation.general.sltemplate2.valid"));
+					}
+					check = form.getSLTemplateURL3();
+					if (MiscUtil.isNotEmpty(check) &&
+						!ValidationHelper.validateURL(check)	) {
+							log.info("Third OA-specific SecurityLayer Templates is not valid");
+							errors.add(LanguageHelper.getErrorString("validation.general.sltemplate3.valid"));
+					}
+				}	
+			}
 		}
 		
 		//check Mandate Profiles
@@ -130,23 +140,18 @@ public class OAGeneralConfigValidation {
 						new Object[] {ValidationHelper.getPotentialCSSCharacter(true)} ));
 			}
 		}
-		
-		//check SL Version
-		check = form.getSlVersion();
-		if (MiscUtil.isEmpty(check)) {
-			log.info("Empty SLVersion. Set SLVersion to 1.2");
-			form.setSlVersion("1.2");
-			
-		} else {
-			if (!ValidationHelper.validateNumber(check)) {
-				log.info("Not valid SLVersion");
-				errors.add(LanguageHelper.getErrorString("validation.general.slversion"));
-			}
-		}
-				
+						
 		boolean businessservice = form.isBusinessService();
 		
 		if (businessservice) {
+			
+			//check identification type
+			check = form.getIdentificationType();
+			if (!form.getIdentificationTypeList().contains(check)) {
+				log.info("IdentificationType is not known.");
+				errors.add(LanguageHelper.getErrorString("validation.general.identificationtype.valid"));
+			}
+			
 			//check identification number
 			check = form.getIdentificationNumber();
 			if (MiscUtil.isEmpty(check)) {
@@ -160,49 +165,85 @@ public class OAGeneralConfigValidation {
 							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
 				}
 				
-				if (check.startsWith("FN")) {
+				if (form.getIdentificationType().equals(Constants.IDENIFICATIONTYPE_FN)) {
 					CompanyNumberValidator val = new CompanyNumberValidator();
-					if (val.validate(check)) {
+					if (!val.validate(check)) {
 						log.info("Not valid CompanyNumber");
 						errors.add(LanguageHelper.getErrorString("validation.general.identificationnumber.fn.valid"));
 					}
 				}
 			}
-			
-			try {
-				float slversion = Float.valueOf(form.getSlVersion());
-				if (slversion < 1.2) {
-					log.info("BusinessService Applications requires SLVersion >= 1.2");
-					errors.add(LanguageHelper.getErrorString("validation.general.slversion.business"));
-					form.setSlVersion("1.2");
-				}
-				
-			} catch (NumberFormatException e) {
-			}
-			
+						
 		} else {
-			//check targetFrindlyName();
-			check = form.getTargetFriendlyName();
+			
+			check = form.getTarget_subsector();
 			if (MiscUtil.isNotEmpty(check)) {
-				if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
-					log.warn("TargetFriendlyName contains potentail XSS characters: " + check);
-					errors.add(LanguageHelper.getErrorString("validation.general.targetfriendlyname", 
-							new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+				if (!ValidationHelper.isValidAdminTarget(check)) {
+					log.info("Not valid Target-Subsector");
+					errors.add(LanguageHelper.getErrorString("validation.general.target.subsector.valid"));
 				}
 			}
 			
-			//check Target
-			check = form.getTarget();
-			if (MiscUtil.isEmpty(check)) {
-				log.info("Empty Target");
-				errors.add(LanguageHelper.getErrorString("validation.general.target.empty"));
+			
+			if (!isAdmin) {
+				//check PublicURL Prefix allows PublicService
+				if (!ValidationHelper.isPublicServiceAllowed(form.getIdentifier())) {
+					log.warn("PublicURLPrefix does not allow PublicService: " + form.getIdentifier());
+					errors.add(LanguageHelper.getErrorString("validation.general.target.publicserviceurl", 
+							new Object[] {form.getIdentifier()} ));
+					form.setBusinessService(true);
+					return errors;
+					
+				}
+				
+				//check Target
+				check = form.getTarget();
+				if (MiscUtil.isEmpty(check)) {
+					log.info("Empty Target");
+					errors.add(LanguageHelper.getErrorString("validation.general.target.empty"));
+					
+				} else {
+					if (!ValidationHelper.isValidTarget(check)) {
+						log.info("Not valid Target");
+						errors.add(LanguageHelper.getErrorString("validation.general.target.valid"));
+					}
+				}
 				
 			} else {
-				if (!ValidationHelper.isValidTarget(check)) {
-					log.info("Not valid Target");
-					errors.add(LanguageHelper.getErrorString("validation.general.target.valid"));
+				
+				//check targetFrindlyName();
+				check = form.getTargetFriendlyName();
+				if (MiscUtil.isNotEmpty(check)) {
+					if (ValidationHelper.containsPotentialCSSCharacter(check, false)) {
+						log.warn("TargetFriendlyName contains potentail XSS characters: " + check);
+						errors.add(LanguageHelper.getErrorString("validation.general.targetfriendlyname", 
+								new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ));
+					}
 				}
-			}	
+
+				if (MiscUtil.isEmpty(form.getTarget()) && MiscUtil.isEmpty(form.getTarget_admin())) {
+					log.info("Empty Target");
+					errors.add(LanguageHelper.getErrorString("validation.general.target.empty"));
+				}
+				
+				//check Target
+				check = form.getTarget();
+				if (MiscUtil.isNotEmpty(check)) {
+					if (!ValidationHelper.isValidTarget(check)) {
+						log.info("Not valid Target");
+						errors.add(LanguageHelper.getErrorString("validation.general.target.valid"));
+					}
+				}
+				
+				//check Admin Target
+				check = form.getTarget_admin();
+				if (MiscUtil.isNotEmpty(check)) {
+					if (!ValidationHelper.isValidAdminTarget(check)) {
+						log.info("Not valid Target");
+						errors.add(LanguageHelper.getErrorString("validation.general.target.admin.valid"));
+					}
+				}
+			}
 		}
 		
 		return errors;
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index 4a1ef9261..e6ff0a166 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -1,15 +1,22 @@
 package at.gv.egovernment.moa.id.configuration.validation.oa;
 
 import java.io.IOException;
+import java.net.URL;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
 
 import org.apache.log4j.Logger;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.parse.BasicParserPool;
 
 import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
 import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.MetadataSignatureFilter;
+import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 public class OAPVP2ConfigValidation {
@@ -19,24 +26,59 @@ public class OAPVP2ConfigValidation {
 	public List<String> validate(OAPVP2Config form) {
 		
 		List<String> errors = new ArrayList<String>();
-		
-		String url = form.getMetaDataURL();
-		if (MiscUtil.isNotEmpty(url) && !ValidationHelper.validateURL(url)) {
-			log.info("MetaDataURL has no valid form.");
-			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid"));
-		}
-		
 		try {
+			byte[] metadata = null;
+			byte[] cert = null;
+			
+			String check = form.getMetaDataURL();
+			if (MiscUtil.isNotEmpty(check)) {
+				if (!ValidationHelper.validateURL(check)) {
+					log.info("MetaDataURL has no valid form.");
+					errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid"));
+				
+				} else {
+					metadata = FileUtils.readURL(check);
+					if (MiscUtil.isEmpty(metadata)) {
+						log.info("Filecontent can not be read form MetaDataURL.");
+						errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read"));
+					}
+				}
+			}
+		
 			if (form.getFileUpload() != null)
-				form.getCertificate();
+				cert  = form.getCertificate();
+			
+//			else {
+//				if (metadata != null) {
+//					log.info("No certificate to verify the Metadata defined.");
+//					errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound"));
+//				}
+//			}
+			
+//			if (cert != null && metadata != null) {
+//				HTTPMetadataProvider httpProvider = new HTTPMetadataProvider(
+//						check, 20000);
+//				httpProvider.setParserPool(new BasicParserPool());
+//				httpProvider.setRequireValidMetadata(true);
+//				MetadataFilter filter = new MetadataSignatureFilter(
+//						check, cert);
+//				httpProvider.setMetadataFilter(filter);
+//				httpProvider.initialize();
+//				
+//			}
+			
 			
 		} catch (CertificateException e) {
 			log.info("Uploaded Certificate can not be found", e);
 			errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound"));
 			
 		} catch (IOException e) {
-			log.info("Uploaded Certificate can not be parsed", e);
-			errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.format"));
+			log.info("Metadata can not be loaded from URL", e);
+			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read"));
+			
+//		} catch (MetadataProviderException e) {
+//			log.info("MetaDate verification failed");
+//			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify"));
 		}
 		
 		return errors;