PVP2.X Post and Redirect binding, signing and verification, added PVP2.x Citizen Token attributes

19 files changed, 399 insertions, 40 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 27cd2b5a5..585655e7c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -179,9 +179,9 @@ public class DispatcherServlet extends AuthServlet {
 			}
 
 			HttpSession httpSession = req.getSession();
-
+			IRequest protocolRequest = null;
 			try {
-				IRequest protocolRequest = RequestStorage
+				protocolRequest = RequestStorage
 						.getPendingRequest(httpSession);
 
 				if (protocolRequest != null) {
@@ -250,12 +250,14 @@ public class DispatcherServlet extends AuthServlet {
 				}
 
 				moduleAction.processRequest(protocolRequest, req, resp);
-
+				
 				RequestStorage.removePendingRequest(httpSession);
 
+				AuthenticationManager.logout(req, resp);
+				
 			} catch (Throwable e) {
 				// Try handle module specific, if not possible rethrow
-				if (!info.generateErrorMessage(e, req, resp)) {
+				if (!info.generateErrorMessage(e, req, resp, protocolRequest)) {
 					throw e;
 				}
 			}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java
index 181955c2a..5a2bb1efc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java
@@ -19,5 +19,7 @@ public interface IModulInfo {
 	public IAction canHandleRequest(HttpServletRequest request, 
 			HttpServletResponse response);
 	
-	public boolean generateErrorMessage(Throwable e,HttpServletRequest request, HttpServletResponse response);
+	public boolean generateErrorMessage(Throwable e,
+			HttpServletRequest request, HttpServletResponse response,
+			IRequest protocolRequest) throws Throwable;
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 847f1ae54..feaf59cb2 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -14,10 +14,10 @@ import org.apache.commons.lang.StringEscapeUtils;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.AuthnRequest;
 import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.Status;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.StatusMessage;
+import org.opensaml.saml2.core.StatusResponseType;
 
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
@@ -29,8 +29,8 @@ import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException;
 import at.gv.egovernment.moa.id.moduls.ServletInfo;
 import at.gv.egovernment.moa.id.moduls.ServletType;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAResponse;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
@@ -174,8 +174,15 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 	}
 
 	public boolean generateErrorMessage(Throwable e,
-			HttpServletRequest request, HttpServletResponse response) {
-		Response samlResponse = SAML2Utils.createSAMLObject(Response.class);
+			HttpServletRequest request, HttpServletResponse response,
+			IRequest protocolRequest) throws Throwable {
+		
+		if(protocolRequest == null) {
+			throw e;
+		}
+		
+		StatusResponseType samlResponse = 
+				SAML2Utils.createSAMLObject(StatusResponseType.class);
 		Status status = SAML2Utils.createSAMLObject(Status.class);
 		StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class);
 		StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class);
@@ -190,7 +197,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 		status.setStatusCode(statusCode);
 		status.setStatusMessage(statusMessage);
 		samlResponse.setStatus(status);
-		return false;
+		IEncoder encoder = new RedirectBinding();
+
+		encoder.encodeRespone(request, response, samlResponse, protocolRequest.getOAURL());
+		return true;
 	}
 
 	public IAction getAction(String action) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java
new file mode 100644
index 000000000..c188914df
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java
@@ -0,0 +1,47 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.artifact.SAMLArtifactMap;
+import org.opensaml.xml.io.MarshallingException;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.StoredAssertion;
+
+public class PVPAssertionStorage implements SAMLArtifactMap {
+
+	private static PVPAssertionStorage instance = null;
+	
+	public static PVPAssertionStorage getInstance() {
+		if(instance == null) {
+			instance = new PVPAssertionStorage();
+		}
+		return instance;
+	}
+	
+	private Map<String, SAMLArtifactMapEntry> assertions = new HashMap<String, SAMLArtifactMapEntry>();
+	
+	public boolean contains(String artifact) {
+		return assertions.containsKey(artifact);
+	}
+
+	public void put(String artifact, String relyingPartyId, String issuerId,
+			SAMLObject samlMessage) throws MarshallingException {
+		SAMLArtifactMapEntry assertion = new StoredAssertion(artifact,
+				relyingPartyId,
+				issuerId,
+				samlMessage);
+		
+		assertions.put(artifact, assertion);
+	}
+
+	public SAMLArtifactMapEntry get(String artifact) {
+		return assertions.get(artifact);
+	}
+
+	public void remove(String artifact) {
+		assertions.remove(artifact);
+	}
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index f19602c1e..1f13cdfb5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -1,7 +1,5 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x;
 
-import org.opensaml.saml2.core.RequestAbstractType;
-
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest;
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
new file mode 100644
index 000000000..a7b4a5bc7
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java
@@ -0,0 +1,143 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
+
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.runtime.RuntimeConstants;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.BasicSAMLMessageContext;
+import org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder;
+import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
+import org.opensaml.saml2.core.RequestAbstractType;
+import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.transport.http.HttpServletResponseAdapter;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.BasicCredential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+
+public class ArtifactBinding implements IDecoder, IEncoder {
+
+	public void encodeRequest(HttpServletRequest req, HttpServletResponse resp,
+			RequestAbstractType request, String targetLocation)
+			throws MessageEncodingException, SecurityException {
+		// TODO Auto-generated method stub
+
+	}
+
+	public void encodeRespone(HttpServletRequest req, HttpServletResponse resp,
+			StatusResponseType response, String targetLocation)
+			throws MessageEncodingException, SecurityException {
+		KeyStore keyStore;
+
+		try {
+			keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+
+			FileInputStream inputStream = new FileInputStream(
+					"/home/afitzek/server/moaid_conf/moaid/pvp.ks");
+			keyStore.load(inputStream, "123456".toCharArray());
+			inputStream.close();
+
+			BasicCredential credentials = new BasicCredential();
+			PrivateKey key = (PrivateKey) keyStore.getKey("pvpIDP",
+					"123456".toCharArray());
+			Certificate cert = keyStore.getCertificate("pvpIDP");
+			credentials.setPublicKey(cert.getPublicKey());
+			credentials.setPrivateKey(key);
+			credentials.setUsageType(UsageType.SIGNING);
+
+			Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
+			signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+			signer.setSigningCredential(credentials);
+
+			response.setSignature(signer);
+			VelocityEngine engine = new VelocityEngine();
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8");
+			engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8");
+			engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
+			engine.setProperty("classpath.resource.loader.class",
+					"org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader");
+			engine.init();
+
+			HTTPArtifactEncoder encoder = new HTTPArtifactEncoder(engine,
+					"resources/templates/pvp_postbinding_template.html",
+					PVPAssertionStorage.getInstance());
+
+			encoder.setPostEncoding(false);
+			HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(
+					resp, true);
+			BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>();
+			SingleSignOnService service = new SingleSignOnServiceBuilder()
+					.buildObject();
+			service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact");
+			service.setLocation(targetLocation);
+			context.setOutboundSAMLMessageSigningCredential(credentials);
+			context.setPeerEntityEndpoint(service);
+			// context.setOutboundMessage(authReq);
+			context.setOutboundSAMLMessage(response);
+			context.setOutboundMessageTransport(responseAdapter);
+
+			encoder.encode(context);
+		} catch (KeyStoreException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (FileNotFoundException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (NoSuchAlgorithmException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (CertificateException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (IOException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (UnrecoverableKeyException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	public MOARequest decodeRequest(HttpServletRequest req,
+			HttpServletResponse resp) throws MessageDecodingException,
+			SecurityException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	public MOAResponse decodeRespone(HttpServletRequest req,
+			HttpServletResponse resp) throws MessageDecodingException,
+			SecurityException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	public boolean handleDecode(String action) {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
index 8e27de7a5..2778016ba 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java
@@ -3,8 +3,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.opensaml.saml2.core.RequestAbstractType;
-import org.opensaml.saml2.core.Response;
 import org.opensaml.ws.message.decoder.MessageDecodingException;
 import org.opensaml.xml.security.SecurityException;
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
index 06ce311cf..38be055be 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java
@@ -20,7 +20,6 @@ import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
 import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
 import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
-import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder;
 import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.StatusResponseType;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java
new file mode 100644
index 000000000..0b280fe48
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java
@@ -0,0 +1,126 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.saml2.core.AttributeValue;
+import org.opensaml.xml.Configuration;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.schema.XSInteger;
+import org.opensaml.xml.schema.XSString;
+import org.opensaml.xml.schema.impl.XSIntegerBuilder;
+import org.opensaml.xml.schema.impl.XSStringBuilder;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+
+public class CitizenTokenBuilder {
+
+	public static XMLObject buildAttributeStringValue(String value) {
+		XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME);
+		XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
+		stringValue.setValue(value);
+		return stringValue;
+	}
+	
+	public static XMLObject buildAttributeIntegerValue(int value) {
+		XSIntegerBuilder integerBuilder = (XSIntegerBuilder) Configuration.getBuilderFactory().getBuilder(XSInteger.TYPE_NAME);
+		XSInteger integerValue = integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSInteger.TYPE_NAME);
+		integerValue.setValue(value);
+		return integerValue;
+	}
+	
+	public static Attribute buildStringAttribute(String friendlyName, 
+			String name, String value) {
+		Attribute attribute = 
+				SAML2Utils.createSAMLObject(Attribute.class);
+		attribute.setFriendlyName(friendlyName);
+		attribute.setName(name);
+		attribute.getAttributeValues().add(buildAttributeStringValue(value));
+		return attribute;
+	}
+	
+	public static Attribute buildIntegerAttribute(String friendlyName, 
+			String name, int value) {
+		Attribute attribute = 
+				SAML2Utils.createSAMLObject(Attribute.class);
+		attribute.setFriendlyName(friendlyName);
+		attribute.setName(name);
+		attribute.getAttributeValues().add(buildAttributeIntegerValue(value));
+		return attribute;
+	}
+	
+	public static Attribute buildPVPVersion(String value) {
+		return buildStringAttribute("PVP-VERSION",
+				"urn:oid:1.2.40.0.10.2.1.1.261.10", value);
+	}
+	
+	public static Attribute buildSecClass(int value) {
+		return buildIntegerAttribute("SECCLASS",
+				"", value);
+	}
+	
+	public static Attribute buildPrincipalName(String value) {
+		return buildStringAttribute("PRINCIPAL-NAME",
+				"urn:oid:1.2.40.0.10.2.1.1.261.20", value);
+	}
+	
+	public static Attribute buildGivenName(String value) {
+		return buildStringAttribute("GIVEN-NAME",
+				"urn:oid:2.5.4.42", value);
+	}
+	
+	public static Attribute buildBirthday(String value) {
+		return buildStringAttribute("BIRTHDATE",
+				"urn:oid:1.2.40.0.10.2.1.1.55", value);
+	}
+	
+	public static Attribute buildBPK(String value) {
+		return buildStringAttribute("BPK",
+				"urn:oid:1.2.40.0.10.2.1.1.149", value);
+	}
+	
+	public static Attribute buildEID_CITIZEN_QAALEVEL(int value) {
+		return buildIntegerAttribute("EID-CITIZEN-QAA-LEVEL",
+				"urn:oid:1.2.40.0.10.2.1.1.261.94", value);
+	}
+	
+	public static Attribute buildEID_ISSUING_NATION(String value) {
+		return buildStringAttribute("EID-ISSUING-NATION",
+				"urn:oid:1.2.40.0.10.2.1.1.261.32", value);
+	}
+	
+	public static Attribute buildEID_SECTOR_FOR_IDENTIFIER(String value) {
+		return buildStringAttribute("EID-SECTOR-FOR-IDENTIFIER",
+				"urn:oid:1.2.40.0.10.2.1.1.261.34", value);
+	}
+	
+	
+	public static AttributeStatement buildCitizenToken(MOARequest obj,
+			AuthenticationSession authSession) {
+		AttributeStatement statement = 
+				SAML2Utils.createSAMLObject(AttributeStatement.class);
+		
+		Attribute pvpVersion = buildPVPVersion("2.1");
+		Attribute secClass = buildSecClass(3);
+		Attribute principalName = buildPrincipalName(authSession.getAuthData().getFamilyName());
+		Attribute givenName = buildGivenName(authSession.getAuthData().getGivenName());
+		Attribute birthdate = buildBirthday(authSession.getAuthData().getDateOfBirth());
+		Attribute bpk = buildBPK(authSession.getAuthData().getIdentificationValue());
+		Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3);
+		Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT");
+		Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authSession.getAuthData().getIdentificationType());
+		
+		statement.getAttributes().add(pvpVersion);
+		statement.getAttributes().add(secClass);
+		statement.getAttributes().add(principalName);
+		statement.getAttributes().add(givenName);
+		statement.getAttributes().add(birthdate);
+		statement.getAttributes().add(bpk);
+		statement.getAttributes().add(eid_citizen_qaa);
+		statement.getAttributes().add(eid_issuing_nation);
+		statement.getAttributes().add(eid_sector_for_id);
+		
+		return statement;
+	}
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 8dad932e2..346883a94 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -5,15 +5,13 @@ import java.util.List;
 
 import javax.xml.namespace.QName;
 
-import org.opensaml.DefaultBootstrap;
 import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
-import org.opensaml.xml.ConfigurationException;
 import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.parse.BasicParserPool;
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
index 4af35e325..27e248081 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java
@@ -11,25 +11,19 @@ import org.opensaml.saml2.core.AuthnContext;
 import org.opensaml.saml2.core.AuthnContextClassRef;
 import org.opensaml.saml2.core.AuthnRequest;
 import org.opensaml.saml2.core.AuthnStatement;
-import org.opensaml.saml2.core.BaseID;
 import org.opensaml.saml2.core.Issuer;
 import org.opensaml.saml2.core.NameID;
-import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
 import org.opensaml.xml.security.SecurityException;
 
-import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredIDStore.PersistentIdEntry;
-
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
-import at.gv.egovernment.moa.id.moduls.AuthenticationSessionStore;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.CitizenTokenBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.util.HTTPUtils;
 
 public class AuthnRequestHandler implements IRequestHandler {
 
@@ -70,6 +64,8 @@ public class AuthnRequestHandler implements IRequestHandler {
 		subjectNameID.setValue(authSession.getAuthData().getIdentificationValue());
 		subject.setNameID(subjectNameID);
 		
+		assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession));
+		
 		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
 		issuer.setValue("pvpIDP");
 		assertion.setIssuer(issuer);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java
index 74e8d8d4b..a971df93b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java
@@ -3,8 +3,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.opensaml.saml2.core.RequestAbstractType;
-
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest;
 
 public interface IRequestHandler {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
index fa2ce4f79..0fa5a7193 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java
@@ -11,15 +11,12 @@ import javax.xml.transform.TransformerException;
 import org.opensaml.Configuration;
 import org.opensaml.saml2.core.Status;
 import org.opensaml.saml2.core.StatusCode;
-import org.opensaml.saml2.core.StatusMessage;
 import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.XMLObjectBuilderFactory;
 import org.opensaml.xml.io.Marshaller;
 import org.opensaml.xml.io.MarshallingException;
 import org.w3c.dom.Document;
 
-import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException;
-
 public class SAML2Utils {
 
 	public static <T> T createSAMLObject(final Class<T> clazz) {
@@ -29,6 +26,7 @@ public class SAML2Utils {
 
 			QName defaultElementName = (QName) clazz.getDeclaredField(
 					"DEFAULT_ELEMENT_NAME").get(null);
+			@SuppressWarnings("unchecked")
 			T object = (T) builderFactory.getBuilder(defaultElementName)
 					.buildObject(defaultElementName);
 			return object;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/StoredAssertion.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/StoredAssertion.java
new file mode 100644
index 000000000..70793d073
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/StoredAssertion.java
@@ -0,0 +1,48 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
+
+import org.joda.time.DateTime;
+import org.opensaml.common.SAMLObject;
+import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry;
+
+public class StoredAssertion implements SAMLArtifactMapEntry {
+	private String artifact;
+	private String relyingPartyId;
+	private String issuerId;
+	private SAMLObject samlMessage;
+	private DateTime expirationTime; 
+	
+	public StoredAssertion(String artifact,
+			String relyingPartyId,
+			String issuerId,
+			SAMLObject samlMessage) {
+		this.artifact = artifact;
+		this.relyingPartyId = relyingPartyId;
+		this.issuerId = issuerId;
+		this.samlMessage = samlMessage;
+		this.expirationTime = new DateTime();
+		this.expirationTime.plusMinutes(5);
+	}
+	
+	public DateTime getExpirationTime() {
+		return expirationTime;
+	}
+	
+	public boolean isExpired() {
+		return this.expirationTime.isAfterNow();
+	}
+	
+	public void onExpire() {
+	}
+	public String getArtifact() {
+		return artifact;
+	}
+	public String getIssuerId() {
+		return issuerId;
+	}
+	public String getRelyingPartyId() {
+		return relyingPartyId;
+	}
+	public SAMLObject getSamlMessage() {
+		return samlMessage;
+	}
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java
index af77213df..37289a8e3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java
@@ -5,9 +5,6 @@ import org.opensaml.security.SAMLSignatureProfileValidator;
 import org.opensaml.xml.validation.ValidationException;
 import org.w3c.dom.Element;
 
-import eu.stork.vidp.messages.util.SAMLUtil;
-import eu.stork.vidp.messages.util.XMLUtil;
-
 import at.gv.egovernment.moa.id.BuildException;
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.ParseException;
@@ -19,6 +16,7 @@ import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.logging.Logger;
+import eu.stork.vidp.messages.util.XMLUtil;
 
 public class SAMLVerifierMOASP implements ISAMLVerifier {
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java
index 54bea4bb4..f5219f7e9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactServlet.java
@@ -1,7 +1,6 @@
 package at.gv.egovernment.moa.id.protocols.saml1;
 
 import java.io.IOException;
-import java.io.OutputStream;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -13,12 +12,9 @@ import org.apache.commons.lang.StringEscapeUtils;
 import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.BuildException;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
-import at.gv.egovernment.moa.id.auth.builder.LoginConfirmationBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
index 3a9b79163..784dec0df 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
@@ -28,12 +28,10 @@ import java.util.Calendar;
 
 import org.apache.axis.AxisFault;
 import org.w3c.dom.Element;
-
 import org.w3c.dom.NodeList;
 
 import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.MOAIDException;
-import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder;
 import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 7e4313087..4399c556b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -38,6 +38,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 	// TODO: for clustering we have to replicate this data to other servers
 	// We might need to introduce a openEJB to accomplish this
 	/** authentication data store (assertion handle -> AuthenticationData) */
+	@SuppressWarnings("rawtypes")
 	private static Map authenticationDataStore = new HashMap();
 	
 	/**
@@ -270,6 +271,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 	 * @throws AuthenticationException
 	 *             when SAML artifact is invalid
 	 */
+	@SuppressWarnings("unchecked")
 	private static void storeAuthenticationData(String samlArtifact,
 			AuthenticationData authData) throws AuthenticationException {
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index d184643c4..1731a738c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -76,7 +76,9 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
 	}
 
 	public boolean generateErrorMessage(Throwable e,
-			HttpServletRequest request, HttpServletResponse response) {
+			HttpServletRequest request, HttpServletResponse response,
+			IRequest protocolRequest) 
+					throws Throwable{
 		// TODO Auto-generated method stub
 		return false;
 	}