First untested part: Refactor authentication modules and process management to Spring

17 files changed, 693 insertions, 518 deletions

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 11917d0c3..065f3866b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1,10 +1,6 @@
 package at.gv.egovernment.moa.id.auth;
 
 
-import iaik.asn1.ObjectID;
-import iaik.x509.X509Certificate;
-import iaik.x509.X509ExtensionInitException;
-
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -22,6 +18,8 @@ import javax.xml.transform.TransformerException;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.xpath.XPathAPI;
 import org.opensaml.xml.util.Base64;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -29,7 +27,6 @@ import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder;
@@ -63,6 +60,7 @@ import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.MISMandate;
 import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -76,6 +74,9 @@ import at.gv.egovernment.moa.util.DateTimeUtils;
 import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
+import iaik.asn1.ObjectID;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
 /**
  * API for MOA ID Authentication Service.<br> {@link AuthenticationSession} is
@@ -85,24 +86,11 @@ import at.gv.egovernment.moa.util.StringUtils;
  * @version $Id: AuthenticationServer.java 1273 2012-02-27 14:50:18Z kstranacher
  *          $
  */
+@Service("CitizenCardAuthenticationServer")
 public class AuthenticationServer extends BaseAuthenticationServer {
 
-	/**
-	 * single instance
-	 */
-	private static AuthenticationServer instance;
-
-	/**
-	 * Returns the single instance of <code>AuthenticationServer</code>.
-	 *
-	 * @return the single instance of <code>AuthenticationServer</code>
-	 */
-	public static AuthenticationServer getInstance() {
-		if (instance == null)
-			instance = new AuthenticationServer();
-		return instance;
-	}
-
+	@Autowired private MOAReversionLogger revisionsLogger;
+	
 	/**
 	 * Constructor for AuthenticationServer.
 	 */
@@ -139,13 +127,14 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 * @param templateMandteURL  URL providing an HTML template for the HTML form generated
 	 *                           (for signing in mandates mode)
 	 * @param req                determines the protocol used
+	 * @param pendingReq 
 	 * @param sourceID
 	 * @return HTML form
 	 * @throws AuthenticationException
 	 * @see GetIdentityLinkFormBuilder
 	 * @see InfoboxReadRequestBuilder
 	 */
-	public String startAuthentication(AuthenticationSession session, HttpServletRequest req) throws WrongParametersException,
+	public String startAuthentication(AuthenticationSession session, HttpServletRequest req, IRequest pendingReq) throws WrongParametersException,
 	AuthenticationException, ConfigurationException, BuildException {
 
 		if (session == null) {
@@ -154,7 +143,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 		//load OnlineApplication configuration
 		OAAuthParameter oaParam =
-				AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix());
+				authConfig.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 		if (oaParam == null)
 			throw new AuthenticationException("auth.00", new Object[]{session.getPublicOAURLPrefix()});
 
@@ -172,7 +161,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 		String infoboxReadRequest = "";
 
-		String domainIdentifier = AuthConfigurationProviderFactory.getInstance().getSSOTagetIdentifier().trim();
+		String domainIdentifier = authConfig.getSSOTagetIdentifier().trim();
 		if (MiscUtil.isEmpty(domainIdentifier) && session.isSsoRequested()) {
 			//do not use SSO if no Target is set
 			Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!");
@@ -209,34 +198,17 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 
 		String dataURL = new DataURLBuilder().buildDataURL(
-				session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session
-				.getSessionID());
+				session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, pendingReq.getRequestID());
 
 		//removed in MOAID 2.0
 		String pushInfobox = "";
 
-		//		VerifyInfoboxParameters verifyInfoboxParameters = oaParam
-		//				.getVerifyInfoboxParameters();
-		//		if (verifyInfoboxParameters != null) {
-		//			pushInfobox = verifyInfoboxParameters.getPushInfobox();
-		//			session.setPushInfobox(pushInfobox);
-		//		}
-
-		//build CertInfo request
-		//removed in MOA-ID 2.0
-		//		String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder()
-		//				.build();
-		//		String certInfoDataURL = new DataURLBuilder()
-		//				.buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION,
-		//						session.getSessionID());
-
 		//get Applet Parameters
 		String appletwidth = req.getParameter(PARAM_APPLET_WIDTH);
 		String appletheigth = req.getParameter(PARAM_APPLET_HEIGTH);
 		appletheigth = StringEscapeUtils.escapeHtml(appletheigth);
 		appletwidth = StringEscapeUtils.escapeHtml(appletwidth);
 		
-		//TODO: cleanup before MOA-ID 2.1 release
 		try {
 			String htmlForm = new GetIdentityLinkFormBuilder().build(template,
 					session.getBkuURL(), infoboxReadRequest, dataURL, null,
@@ -333,7 +305,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
 				domVerifyXMLSignatureResponse).parseData();
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		// validates the <VerifyXMLSignatureResponse>
@@ -349,7 +321,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//Removed in MOA-ID 2.0
 		//verifyInfoboxes(session, infoboxReadResponseParameters, false);
 
-		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 				pendingReq, MOAIDEventConstants.AUTHPROCESS_IDL_VALIDATED);
 		
 		return "found!";
@@ -406,7 +378,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		AuthConfiguration authConf = AuthConfigurationProviderFactory
 				.getInstance();
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session,
@@ -441,7 +413,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			throw new AuthenticationException("auth.10", new Object[]{
 					GET_MIS_SESSIONID, PARAM_SESSIONID});
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		try {
@@ -480,7 +452,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 */
 	public String getCreateXMLSignatureRequestAuthBlockOrRedirect(
 			AuthenticationSession session, AuthConfiguration authConf,
-			OAAuthParameter oaParam, IRequest pendingReq) throws ConfigurationException,
+			IOAAuthParameters oaParam, IRequest pendingReq) throws ConfigurationException,
 			BuildException, ValidateException {
 
 		//        // check for intermediate processing of the infoboxes
@@ -488,9 +460,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//            return "Redirect to Input Processor";
 
 		if (authConf == null)
-			authConf = AuthConfigurationProviderFactory.getInstance();
+			authConf = authConfig;
 		if (oaParam == null)
-			oaParam = AuthConfigurationProviderFactory.getInstance()
+			oaParam = authConfig
 			.getOnlineApplicationParameter(
 					session.getPublicOAURLPrefix());
 
@@ -529,7 +501,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		AuthConfiguration authConf = AuthConfigurationProviderFactory
 				.getInstance();
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam,
@@ -546,9 +518,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//            return "Redirect to Input Processor";
 
 		if (authConf == null)
-			authConf = AuthConfigurationProviderFactory.getInstance();
+			authConf = authConfig;
 		if (oaParam == null)
-			oaParam = AuthConfigurationProviderFactory.getInstance()
+			oaParam = authConfig
 			.getOnlineApplicationParameter(
 					session.getPublicOAURLPrefix());
 
@@ -634,15 +606,11 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 *                                      including the <code>&lt;ReadInfoboxResponse&gt;</code>
 	 * @throws BKUException
 	 */
-	public X509Certificate getCertificate(IRequest pendingReq, String sessionID,
+	public X509Certificate getCertificate(IRequest pendingReq,
 			Map<String, String> readInfoboxResponseParameters) throws AuthenticationException,
 			BuildException, ParseException, ConfigurationException,
 			ValidateException, ServiceException, BKUException {
 
-		if (isEmpty(sessionID))
-			throw new AuthenticationException("auth.10", new Object[]{
-					REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID});
-
 		String xmlReadInfoboxResponse = (String) readInfoboxResponseParameters
 				.get(PARAM_XMLRESPONSE);
 
@@ -655,7 +623,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 				xmlReadInfoboxResponse);
 		X509Certificate cert = p.parseCertificate();
 
-		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 				pendingReq, MOAIDEventConstants.AUTHPROCESS_CERTIFICATE_VALIDATED);
 		
 		return cert;
@@ -673,7 +641,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 *                        to be appended to the AUTH-Block.
 	 */
 	private String buildAuthenticationBlock(AuthenticationSession session,
-			OAAuthParameter oaParam, IRequest pendingReq) throws BuildException {
+			IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException {
 
 		IdentityLink identityLink = session.getIdentityLink();
 		String issuer = identityLink.getName();
@@ -1121,7 +1089,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			}
 		}
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		// validates the <VerifyXMLSignatureResponse>
@@ -1163,10 +1131,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//set QAA Level four in case of card authentifcation
 		session.setQAALevel(PVPConstants.STORK_QAA_1_4);
 		
-		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 				pendingReq, MOAIDEventConstants.AUTHPROCESS_AUTHBLOCK_VALIDATED);
 		
-		MOAReversionLogger.getInstance().logPersonalInformationEvent(pendingReq, session.getIdentityLink() 
+		revisionsLogger.logPersonalInformationEvent(pendingReq, session.getIdentityLink() 
 				);
 	}
 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/CitizenCardAuthenticationSpringResourceProvider.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/CitizenCardAuthenticationSpringResourceProvider.java
new file mode 100644
index 000000000..18bf5a1ba
--- /dev/null
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/CitizenCardAuthenticationSpringResourceProvider.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class CitizenCardAuthenticationSpringResourceProvider implements SpringResourceProvider {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+	 */
+	@Override
+	public Resource[] getResourcesToLoad() {
+		ClassPathResource citizenCardAuthConfig = new ClassPathResource("/moaid_citizencard_auth.beans.xml", MOAIDAuthSpringResourceProvider.class);					
+		
+		return new Resource[] {citizenCardAuthConfig};	
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+	 */
+	@Override
+	public String[] getPackagesToScan() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+	 */
+	@Override
+	public String getName() {
+		return "MOA-ID-CitizenCardAuthentication SpringResourceProvider";
+	}
+
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index 760d28d5b..79f407ca3 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -175,7 +175,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     String gebDat,
     List<ExtendedSAMLAttribute> extendedSAMLAttributes,
     AuthenticationSession session,
-    OAAuthParameter oaParam)
+    IOAAuthParameters oaParam2)
   throws BuildException
   
   {
@@ -193,7 +193,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
          
          //adding type of wbPK domain identifier        
         ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = 
-             new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+             new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam2.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
             
         extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
          
@@ -255,7 +255,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     }
     
     //adding friendly name of OA    
-    String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); 
+    String oaFriendlyName = StringUtils.isEmpty(oaParam2.getFriendlyName()) ? "" : oaParam2.getFriendlyName(); 
     
     ExtendedSAMLAttribute oaFriendlyNameAttribute = 
          new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java
deleted file mode 100644
index 5c1b12e0d..000000000
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- * 
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- * 
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-package at.gv.egovernment.moa.id.auth.builder;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
-import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
-import at.gv.egovernment.moa.logging.Logger;
-
-public class StartAuthenticationBuilder {
-
-	private static StartAuthenticationBuilder instance = null;
-	
-	public static StartAuthenticationBuilder getInstance() {
-		if (instance == null) {
-			instance = new StartAuthenticationBuilder();
-		}
-		return instance;
-	}
-	
-	
-	/**
-	 * Depending on the selected citizen's country ({@code moasession.ccc}):
-	 * <ul>
-	 * <li><strong>Either</strong> creates an "IdentityLinkForm" with embedded {@code InfoBoxReadRequest} to be submitted to a citizen card
-	 * environment for reading the subject's IdentityLink</li>
-	 * </ul>
-	 * 
-	 * @return The IdentityLinkForm.
-	 */
-	public String build(AuthenticationSession moasession, HttpServletRequest req,
-			HttpServletResponse resp) throws WrongParametersException, MOAIDException {
-		
-		if (moasession == null) {
-			throw new AuthenticationException("auth.18", new Object[] { });
-		}
-		  
-    	//normal MOA-ID authentication
-    	Logger.debug("Starting normal MOA-ID authentication");
-	    			    	    	
-    	String getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(moasession, req);	   
-
-    	return getIdentityLinkForm;
-	}
-}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/AuthModuleImpl.java
index cac7359c7..29118ac17 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthModuleImpl.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/AuthModuleImpl.java
@@ -1,5 +1,6 @@
 package at.gv.egovernment.moa.id.auth.modules.internal;
 
+
 import org.apache.commons.lang3.StringUtils;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
@@ -9,7 +10,7 @@ import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 /**
  * Module descriptor
  */
-public class DefaultAuthModuleImpl implements AuthModule {
+public class AuthModuleImpl implements AuthModule {
 
 	@Override
 	public int getPriority() {
@@ -19,8 +20,15 @@ public class DefaultAuthModuleImpl implements AuthModule {
 	@Override
 	public String selectProcess(ExecutionContext context) {		
 		//select process if BKU is selected and it is no STORK authentication
+		
+		boolean performBKUSelection = false;
+		Object performBKUSelectionObj = context.get("performBKUSelection");
+		if (performBKUSelectionObj != null && performBKUSelectionObj instanceof Boolean)
+			performBKUSelection = (boolean) performBKUSelectionObj;
+		
 		if (StringUtils.isBlank((String) context.get("ccc")) && 
-				StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)))
+				StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) &&
+				 	!performBKUSelection)
 			return "DefaultAuthentication";
 		
 		else
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
index 7e1bf1fc7..6ff0177ac 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
@@ -1,6 +1,7 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_VERIFY_CERTIFICATE;
 
 import java.io.IOException;
 
@@ -9,22 +10,24 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.CitizenCardServletUtils;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Creates {@code InfoBoxReadRequest} in order to read the subject's certificates.<p/>
@@ -46,44 +49,69 @@ import at.gv.egovernment.moa.logging.Logger;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("CertificateReadRequestTask")
 public class CertificateReadRequestTask extends AbstractAuthServletTask {
 
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
-
-		// TODO[branch]: Foreign citizen or mandate mode; respond with IRR for certificates, dataURL = "/VerifyCertificate"
-		Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
-
-		setNoCachingHeaders(resp);		
+		Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+					
 		try {
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
 		
-			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
 			
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("CertificateReadRequestTask", PARAM_SESSIONID, "auth.12");
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
 			}
-
-			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-
-			boolean useMandate = session.getUseMandate();
+		
+			boolean useMandate = moasession.getUseMandate();
 			boolean identityLinkAvailable = BooleanUtils.isTrue((Boolean) executionContext.get("identityLinkAvailable"));
 			
 			if (!identityLinkAvailable && useMandate) {
 				Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
 				throw new AuthenticationException("auth.13", null);
 			}
-
-			// change MOASessionID
-			AuthenticationSessionStoreage.changeSessionID(session);
 			
 			// create the InfoboxReadRequest to get the certificate
 			String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
 
 			// build dataurl (to the VerifyCertificateSerlvet)
-			String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
-					session.getSessionID());
+			String dataurl = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), REQ_VERIFY_CERTIFICATE,
+					pendingReq.getRequestID());
 
 			CitizenCardServletUtils.writeCreateXMLSignatureRequest(resp, infoboxReadRequest,
 					AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
index 307074ee2..ef17700d3 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
@@ -1,33 +1,28 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID;
-
 import java.io.PrintWriter;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
-import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
 
 /**
@@ -62,46 +57,60 @@ import at.gv.egovernment.moa.util.StringUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("CreateIdentityLinkFormTask")
 public class CreateIdentityLinkFormTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
-			throws TaskExecutionException {
-
-		String moasessionid = StringEscapeUtils.escapeHtml(ObjectUtils.defaultIfNull(req.getParameter(PARAM_SESSIONID), (String) executionContext.get(PARAM_SESSIONID)));
-		AuthenticationSession moasession = null;
+			throws TaskExecutionException {		
 		try {
 			
-			if (MiscUtil.isEmpty(moasessionid)) {
-				Logger.warn("MOASessionID is empty.");
-				throw new MOAIDException("auth.18", new Object[] {});
+			IRequest pendingReq = requestStoreage.getPendingRequest(
+					(String) executionContext.get(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID));	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + executionContext.get("pendingRequestID") + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{executionContext.get("pendingRequestID")});
+				
 			}
 			
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+			
+			AuthenticationSession moasession = null;;
 			try {			
-				moasession = AuthenticationSessionStoreage.getSession(moasessionid);
-
-				AuthenticationSessionStoreage.changeSessionID(moasession);
-				executionContext.remove(PARAM_SESSIONID);
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
 			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
 			} catch (MOADatabaseException e) {
-				Logger.info("MOASession with SessionID=" + moasessionid + " is not found in Database");
-				throw new MOAIDException("init.04", new Object[] { moasessionid });
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
 			} catch (Throwable e) {
 				Logger.info("No HTTP Session found!");
 				throw new MOAIDException("auth.18", new Object[] {});
 			}
+			
+			
+	
+			
+			
+	    	//normal MOA-ID authentication
+	    	Logger.debug("Starting normal MOA-ID authentication");		    			    	    	
+	    	String getIdentityLinkForm = authServer.startAuthentication(moasession, req, pendingReq);	   
 
-			StartAuthenticationBuilder startauth = StartAuthenticationBuilder.getInstance();
-			String getIdentityLinkForm = startauth.build(moasession, req, resp);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));
 			
 			if (BooleanUtils.isTrue((Boolean) executionContext.get("useMandate")))
-				MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATES_REQUESTED);			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_URL, moasession.getBkuURL());
 			
 			if (!StringUtils.isEmpty(getIdentityLinkForm)) {
@@ -109,7 +118,7 @@ public class CreateIdentityLinkFormTask extends AbstractAuthServletTask {
 				PrintWriter out = new PrintWriter(resp.getOutputStream());
 				out.print(getIdentityLinkForm);
 				out.flush();
-				Logger.debug("Finished GET " + GenerateIFrameTemplateServlet.class);
+				Logger.debug("Finished GET " + CreateIdentityLinkFormTask.class);
 			}
 			
 		} catch (WrongParametersException ex) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java
index b729f26e1..5c88afc56 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java
@@ -1,6 +1,8 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_XMLRESPONSE;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -13,12 +15,15 @@ import javax.xml.transform.TransformerException;
 
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
@@ -33,14 +38,12 @@ import at.gv.egovernment.moa.id.client.SZRGWClientException;
 import at.gv.egovernment.moa.id.client.utils.SZRGWClientUtils;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
 
 /**
@@ -68,16 +71,17 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("GetForeignIDTask")
 public class GetForeignIDTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 
 		Logger.debug("POST GetForeignIDServlet");
 
-		setNoCachingHeaders(resp);
-
 		Map<String, String> parameters;
 
 		try {
@@ -88,30 +92,53 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 			throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", new IOException(e.getMessage()));
 		}
 		
-		String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
-		String pendingRequestID = null;
-		String redirectURL = null;
-		AuthenticationSession session = null;
 		try {
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("GetForeignID", PARAM_SESSIONID, "auth.12");
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
 			}
+			
 			String xmlCreateXMLSignatureResponse = (String) parameters.get(PARAM_XMLRESPONSE);
 			if (!ParamValidatorUtils.isValidXMLDocument(xmlCreateXMLSignatureResponse)) {
 				throw new WrongParametersException("GetForeignID", PARAM_XMLRESPONSE, "auth.12");
 			}
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-			session = AuthenticationServer.getSession(sessionID);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
-					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
 			
-			// change MOASessionID
-			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+			
 			Logger.debug(xmlCreateXMLSignatureResponse);
 
 			CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureResponse)
@@ -119,7 +146,7 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 
 			try {
 				String serializedAssertion = DOMUtils.serializeNode(csresp.getDsigSignature());
-				session.setAuthBlock(serializedAssertion);
+				moasession.setAuthBlock(serializedAssertion);
 
 			} catch (TransformerException e) {
 				throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
@@ -132,13 +159,14 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 			Element signature = csresp.getDsigSignature();
 
 			try {
-				session.setSignerCertificate(AuthenticationServer.getCertificateFromXML(signature));
+				moasession.setSignerCertificate(AuthenticationServer.getCertificateFromXML(signature));
+				
 			} catch (CertificateException e) {
 				Logger.error("Could not extract certificate from CreateXMLSignatureResponse");
 				throw new MOAIDException("auth.14", null);
 			}
 
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_FOREIGN_SZRGW_CONNECTED);
 			
 			// make SZR request to the identity link
@@ -152,30 +180,24 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 				IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(new ByteArrayInputStream(
 						response.getIdentityLink()));
 				IdentityLink identitylink = ilParser.parseIdentityLink();
-				session.setIdentityLink(identitylink);
+				moasession.setIdentityLink(identitylink);
 
 				// set QAA Level four in case of card authentifcation
-				session.setQAALevel(PVPConstants.STORK_QAA_1_4);
-
-				AuthenticationServer.getInstance().getForeignAuthenticationData(session);
-
-				// session is implicit stored in changeSessionID!!!!
-				String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
+				moasession.setQAALevel(PVPConstants.STORK_QAA_1_4);
 
-				Logger.info("Changed MOASession " + sessionID + " to Session " + newMOASessionID);
-				Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
+				authServer.getForeignAuthenticationData(moasession);
 				
-				MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_FOREIGN_SZRGW_RECEIVED);
 				
 				try {
-					AuthenticationSessionStoreage.storeSession(session);
+					authenticatedSessionStorage.storeSession(moasession);
+					
 				} catch (MOADatabaseException e) {
 					throw new MOAIDException("Session store error", null);
 				}
 
-				//put session to context 
-				executionContext.put(PARAM_SESSIONID, session.getSessionID());
+ 
 			}
 
 		} catch (MOAIDException ex) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java
index d85681b40..938b4ce77 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java
@@ -1,7 +1,7 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
-import iaik.pki.PKIException;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.GET_MIS_SESSIONID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import java.security.GeneralSecurityException;
 import java.util.List;
@@ -12,34 +12,31 @@ import javax.servlet.http.HttpServletResponse;
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.data.MISMandate;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.pki.PKIException;
 
 /**
  * Retrieves a mandate from the online mandate issuing service.<p/>
@@ -64,45 +61,64 @@ import at.gv.egovernment.moa.util.DOMUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("GetMISSessionIDTask")
 public class GetMISSessionIDTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 		
 		Logger.debug("POST GetMISSessionIDServlet");
 
-		String sessionID = req.getParameter(PARAM_SESSIONID);
-
-		// escape parameter strings
-		sessionID = StringEscapeUtils.escapeHtml(sessionID);
-
-		AuthenticationSession session = null;
-		String pendingRequestID = null;
 		try {
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID))
-				throw new WrongParametersException("VerifyCertificate",
-						PARAM_SESSIONID, "auth.12");
-
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
 			
-			session = AuthenticationServer.getSession(sessionID);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
 			
-			//change MOASessionID
-		    sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
 			
-			String misSessionID = session.getMISSessionID();
+			String misSessionID = moasession.getMISSessionID();
 
-			AuthConfiguration authConf = AuthConfigurationProviderFactory
-					.getInstance();
-			ConnectionParameter connectionParameters = authConf
+			ConnectionParameter connectionParameters = authConfig
 					.getOnlineMandatesConnectionParameter();
 			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(
-					AuthConfigurationProviderFactory.getInstance(),
+					authConfig,
 					connectionParameters);
 
 			List<MISMandate> list = MISSimpleClient.sendGetMandatesRequest(
@@ -113,7 +129,7 @@ public class GetMISSessionIDTask extends AbstractAuthServletTask {
 				throw new AuthenticationException("auth.15", null);
 			}
 
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_RECEIVED);
 
 			
@@ -136,25 +152,17 @@ public class GetMISSessionIDTask extends AbstractAuthServletTask {
 					null, null).getDocumentElement();
 			
 			// extract RepresentationType
-			AuthenticationServer.getInstance().verifyMandate(session, mandate);
+			authServer.verifyMandate(moasession, mandate);
 			
-			session.setMISMandate(mandate);
+			moasession.setMISMandate(mandate);
 			
 			//log mandate specific set of events
-			MOAReversionLogger.getInstance().logMandateEventSet(pendingReq, mandate);
-						
-			String oldsessionID = session.getSessionID();
-			
-			//Session is implicite stored in changeSessionID!!!
-			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			revisionsLogger.logMandateEventSet(pendingReq, mandate);
+									
+			//Stor MOAsession
+			authenticatedSessionStorage.storeSession(moasession);
 			
-			Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
-			Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
-
-			//put session to context 
-			executionContext.put(PARAM_SESSIONID, session.getSessionID());
 			
-
 		} catch (MOAIDException ex) {
 			throw new TaskExecutionException(ex.getMessage(), ex);
 			
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
index 1dd4780f7..86d8de047 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
@@ -27,8 +27,9 @@ import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.stereotype.Service;
+
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
@@ -37,12 +38,9 @@ import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -51,6 +49,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
  * @author tlenz
  *
  */
+@Service("InitializeBKUAuthenticationTask")
 public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 
 	/* (non-Javadoc)
@@ -62,19 +61,22 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			throws TaskExecutionException {
 		
 		try {
-	    	String moasessionid = (String) executionContext.get(MOAIDAuthConstants.PARAM_SESSIONID);	    	
-			String pendingRequestID = (String) executionContext.get("pendingRequestID");
-
-			//load pending request
-			IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID);				
+			IRequest pendingReq = requestStoreage.getPendingRequest(
+					(String) executionContext.get(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID));	
+		
 			if (pendingReq == null) {
-				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
-				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				Logger.info("No PendingRequest with Id: " + executionContext.get("pendingRequestID") + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{executionContext.get("pendingRequestID")});
 				
 			}
-	    	
+				    	
 			//load MOASession object
-			AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionid);
+			AuthenticationSession moasession = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			if (moasession == null) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+				
+			}
 			
 			boolean isLegacyRequest = false;
 			Object isLegacyRequestObj = executionContext.get("isLegacyRequest");
@@ -83,8 +85,8 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 
 			if (isLegacyRequest) {
 				//parse request parameter into MOASession
-			    Logger.info("Start Authentication Module: " + moasession.getModul() 
-			    		+ " Action: " + moasession.getAction());
+			    Logger.info("Start Authentication Module: " + pendingReq.requestedModule() 
+			    		+ " Action: " + pendingReq.requestedAction());
 
 				StartAuthentificationParameterParser.parse(executionContext, request, moasession, pendingReq);
 												
@@ -92,12 +94,9 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 		    	String bkuid = (String) executionContext.get(MOAIDAuthConstants.PARAM_BKU);
 		    	String useMandate = (String) executionContext.get(MOAIDAuthConstants.PARAM_USEMANDATE);
 				String ccc = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC);
-							
-				//remove MOASessionID from executionContext because it is not needed any more
-	
-				
-		    	if (MiscUtil.isEmpty(bkuid) || MiscUtil.isEmpty(moasessionid)) {
-		    		Logger.warn("MOASessionID or BKU-type is empty. Maybe an old BKU-selection template is in use.");
+												
+		    	if (MiscUtil.isEmpty(bkuid)) {
+		    		Logger.warn("BKU-type is empty. Maybe an old BKU-selection template is in use.");
 		    		throw new MOAIDException("auth.23", new Object[] {});
 		    	}
 								
@@ -108,21 +107,21 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 					throw new AuthenticationException("auth.00", new Object[] { moasession.getOAURLRequested() });
 				
 				else {
-					MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+					revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 							pendingReq, MOAIDEventConstants.AUTHPROCESS_BKUTYPE_SELECTED, bkuid);
 					
 			    	//get Target from config or from request in case of SAML 1				
 					String target = null;
-					if (MiscUtil.isNotEmpty(pendingReq.getTarget()) && 
-							pendingReq.requestedModule().equals("id_saml1"))
-						target = pendingReq.getTarget();
+					if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && 
+							pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol"))
+						target = pendingReq.getGenericData("target", String.class);
 					else
 						target = oaParam.getTarget();
 									
 			    	String bkuURL = oaParam.getBKUURL(bkuid);
 			    	if (MiscUtil.isEmpty(bkuURL)) {
 			    		Logger.info("No OA specific BKU defined. Use BKU from default configuration");
-			    		bkuURL = AuthConfigurationProviderFactory.getInstance().getDefaultBKUURL(bkuid);
+			    		bkuURL = authConfig.getDefaultBKUURL(bkuid);
 			    	}
 			    	
 			    	//search for OA specific template
@@ -133,13 +132,13 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			    		templateURL = oaTemplateURLList.get(0);
 			    		
 			    	} else {		    	
-			    		templateURL = AuthConfigurationProviderFactory.getInstance().getSLRequestTemplates(bkuid);
+			    		templateURL = authConfig.getSLRequestTemplates(bkuid);
 			    	}
 			    	
 			    	//make url absolut if it is a local url
 		    		if (MiscUtil.isNotEmpty(templateURL))
 		    			templateURL = FileUtils.makeAbsoluteURL(templateURL, 
-		    					AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir());
+		    					authConfig.getRootConfigFileDir());
 			    	
 			    	if (oaParam.isOnlyMandateAllowed()) 
 			    		useMandate = "true";
@@ -155,8 +154,6 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			    											   templateURL,
 			    											   useMandate,
 			    											   ccc, 
-			    											   moasession.getModul(),
-			    											   moasession.getAction(),
 			    											   request,
 			    											   pendingReq);
 				}
@@ -166,7 +163,8 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			
 			// make sure moa session has been persisted before running the process
 			try {
-				AuthenticationSessionStoreage.storeSession(moasession);
+				authenticatedSessionStorage.storeSession(moasession);
+				
 			} catch (MOADatabaseException e) {
 				Logger.error("Database Error! MOASession is not stored!");
 				throw new MOAIDException("init.04", new Object[] {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java
index 49888c136..1c5f3c202 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java
@@ -1,29 +1,29 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.CitizenCardServletUtils;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Creates {@code CreateXMLSignatureRequest} for auth block signature.<p/>
@@ -45,47 +45,68 @@ import at.gv.egovernment.moa.logging.Logger;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("PrepareAuthBlockSignatureTask")
 public class PrepareAuthBlockSignatureTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
 
-		Logger.debug("Process IdentityLink");
-
-		setNoCachingHeaders(resp);
+		Logger.debug("Process CreateAuthBlock Task");
 		
-		String pendingRequestID = null;
-
 		try {
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
 			
-			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
 			
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
 			}
-
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));	
 						
-			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-
-			// change MOASessionID
-			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
 				
-			OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(
-					session.getPublicOAURLPrefix());
-			AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+							
+			IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 
-			String createXMLSignatureRequest = AuthenticationServer.getInstance()
-					.getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, pendingReq);
+			String createXMLSignatureRequest = authServer
+					.getCreateXMLSignatureRequestAuthBlockOrRedirect(moasession, authConfig, oaParam, pendingReq);
 
-			AuthenticationSessionStoreage.storeSession(session);
+			authenticatedSessionStorage.storeSession(moasession);
 			
-			CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,
+			CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, pendingReq,
 					createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,
 					"VerifyIdentityLink");
 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
index 099bc085c..3d8b94239 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
@@ -23,17 +23,21 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
 import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.GET_MIS_SESSIONID;
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import java.util.List;
 
 import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
@@ -44,14 +48,9 @@ import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
@@ -63,6 +62,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
  * @author tlenz
  *
  */
+@Service("PrepareGetMISMandateTask")
 public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 
 	/* (non-Javadoc)
@@ -75,62 +75,66 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 
 		//mandate Mode
 		try {
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));	
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							request.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
 			
-			//get Session from context
-			String moasessionid = (String) executionContext.get(PARAM_SESSIONID);
-			AuthenticationSession session = null;				
-			if (MiscUtil.isEmpty(moasessionid)) {
-				Logger.warn("MOASessionID is empty.");
-				throw new MOAIDException("auth.18", new Object[] {});
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
 			}
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
 				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
 			try {			
-				session = AuthenticationSessionStoreage.getSession(moasessionid);
-				AuthenticationSessionStoreage.changeSessionID(session);
-								
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
 			} catch (MOADatabaseException e) {
-				Logger.info("MOASession with SessionID=" + moasessionid + " is not found in Database");
-				throw new MOAIDException("init.04", new Object[] { moasessionid });
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
 			} catch (Throwable e) {
 				Logger.info("No HTTP Session found!");
 				throw new MOAIDException("auth.18", new Object[] {});
-				
-			} finally {
-				executionContext.remove(PARAM_SESSIONID);
-				
 			}
-
 			
-		  AuthConfiguration authConf= AuthConfigurationProviderFactory.getInstance();
-			ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();	
-			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProviderFactory.getInstance(), connectionParameters);
+			ConnectionParameter connectionParameters = authConfig.getOnlineMandatesConnectionParameter();	
+			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(authConfig, connectionParameters);
 			
 			// get identitity link as byte[]
-			Element elem = session.getIdentityLink().getSamlAssertion();
+			Element elem = moasession.getIdentityLink().getSamlAssertion();
 			String s = DOMUtils.serializeNode(elem);
 			
 			//System.out.println("IDL: " + s);
 			
 			byte[] idl = s.getBytes("UTF-8");
-			
-			// redirect url
-			// build redirect(to the GetMISSessionIdSerlvet)
-			
-			//change MOASessionID before MIS request
-			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
-			
+						
 	        String redirectURL = new DataURLBuilder().buildDataURL(
-			    session.getAuthURL(),
+			    pendingReq.getAuthURL(),
 			    GET_MIS_SESSIONID,
-			    newMOASessionID);
+			    pendingReq.getRequestID());
 			
-	        String oaURL = session.getOAURLRequested();
+	        String oaURL = pendingReq.getOAURL();
 	        IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 	        if (oaParam == null) {
-	        	oaParam = authConf.getOnlineApplicationParameter(oaURL);
+	        	oaParam = authConfig.getOnlineApplicationParameter(oaURL);
 	        	Logger.info("No Service info in PendingRequest --> load service info from configuration");
 	        	
 	        }
@@ -143,9 +147,9 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 	        }
 	        
 	        String oaFriendlyName = oaParam.getFriendlyName();
-	        String mandateReferenceValue = session.getMandateReferenceValue();
-	        byte[] cert = session.getEncodedSignerCertificate();
-	        byte[] authBlock = session.getAuthBlock().getBytes("UTF-8");
+	        String mandateReferenceValue = moasession.getMandateReferenceValue();
+	        byte[] cert = moasession.getEncodedSignerCertificate();
+	        byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8");
 	        
 	        //TODO: check in case of SSO!!!
 	        String targetType = null;  
@@ -154,13 +158,13 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 	        	if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
 	        		targetType = id;
 	        	else
-	        		targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier();
+	        		targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moasession.getDomainIdentifier();
 	        	
 	        } else {
 	        	targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
 	        }
 	        
-	        MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+	        revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue);
 	        
 	        MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(
@@ -181,17 +185,17 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 	        }
 	        
 	        String redirectMISGUI = misSessionID.getRedirectURL();
-	        session.setMISSessionID(misSessionID.getSessiondId());
+	        moasession.setMISSessionID(misSessionID.getSessiondId());
 		
 			try {
-				AuthenticationSessionStoreage.storeSession(session);
+				authenticatedSessionStorage.storeSession(moasession);
 				
 			} catch (MOADatabaseException | BuildException e) {
 				throw new MOAIDException("Session store error", null);
 				
 			}
 	        			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_REDIRECT);
 			
 	        response.setStatus(302);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
index 35104bf3e..78be6c8c8 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
@@ -1,50 +1,35 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
-import iaik.pki.PKIException;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_XMLRESPONSE;
 
 import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.util.List;
 import java.util.Map;
 
-import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.xml.transform.TransformerException;
 
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
-import org.w3c.dom.Element;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
-import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
-import at.gv.egovernment.moa.id.util.SSLUtils;
-import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId;
-import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).<p/>
@@ -79,62 +64,84 @@ import at.gv.egovernment.moa.util.DOMUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("VerifyAuthenticationBlockTask")
 public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
-
-		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet
 		
 		Logger.debug("POST VerifyAuthenticationBlock");
 		
-		String pendingRequestID = null;		
-		
 	    Map<String, String> parameters;
 	    try 
 	    {
 	      parameters = getParameters(req);
 	      
-	    } catch (FileUploadException | IOException e) 
-	    {
+	    } catch (FileUploadException | IOException e) {
 	      Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
 	      throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", new IOException(e.getMessage()));
-	    }
 	      
-			String sessionID = req.getParameter(PARAM_SESSIONID);
-			String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
-
-			// escape parameter strings
-			sessionID = StringEscapeUtils.escapeHtml(sessionID);
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-		   		
+	    }
+	    
+	    String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
+	    		
 			String redirectURL = null;
 			try {
-	         // check parameter
-	         if (!ParamValidatorUtils.isValidSessionID(sessionID))
-	            throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
-	         if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
-	            throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_XMLRESPONSE, "auth.12");
+			    String pendingRequestID = StringEscapeUtils.escapeHtml(
+						ObjectUtils.defaultIfNull(
+								req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+								(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+				
+				if (MiscUtil.isEmpty(pendingRequestID)) {				
+					Logger.info("No PendingRequestID received");
+					throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+				}
+				
+				if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
+					throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_XMLRESPONSE, "auth.12");
+				
+				IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+			
+				if (pendingReq == null) {
+					Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+					throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+					
+				}
+							
+				//change pending-request ID
+				String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+				executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+										
+				AuthenticationSession moasession = null;;
+				try {			
+					moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+				
+					if (moasession == null) {
+						Logger.warn("MOASessionID is empty.");
+						throw new MOAIDException("auth.18", new Object[] {});
+					}
+					
+				} catch (MOADatabaseException e) {
+					Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+					throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
-				AuthenticationSession session = AuthenticationServer.getSession(sessionID);
+				} catch (Throwable e) {
+					Logger.info("No HTTP Session found!");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}				
+											
 
-				IRequest pendingReq = RequestStorage.getPendingRequest(
-						(String) executionContext.get("pendingRequestID"));			
-				MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
-								
-				//change MOASessionID
-			    sessionID = AuthenticationSessionStoreage.changeSessionID(session);
-				
-				AuthenticationServer.getInstance().verifyAuthenticationBlock(pendingReq, session, createXMLSignatureResponse);
+												
+				authServer.verifyAuthenticationBlock(pendingReq, moasession, createXMLSignatureResponse);
 				
 				//store all changes in session DAO
-				AuthenticationSessionStoreage.storeSession(session);
-				
-				//put session to context 
-				executionContext.put(PARAM_SESSIONID, session.getSessionID());
-				
+				authenticatedSessionStorage.storeSession(moasession);
+								
 			}
 	    
 			catch (MOAIDException ex) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
index 2734d1027..5c9a069ee 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
@@ -1,7 +1,7 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
-import iaik.x509.X509Certificate;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_GET_FOREIGN_ID;
 
 import java.io.IOException;
 import java.util.Map;
@@ -11,28 +11,28 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.CitizenCardServletUtils;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
-import at.gv.egovernment.moa.id.util.ServletUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.spss.util.CertificateUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.x509.X509Certificate;
 
 /**
  * Parses the certificate from {@code InfoBoxReadResponse} (via POST parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}), creates the auth block to be signed and returns a {@code CreateXMLSignatureRequest} for auth block signature.<p/>
@@ -59,15 +59,18 @@ import at.gv.egovernment.moa.spss.util.CertificateUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("VerifyCertificateTask")
 public class VerifyCertificateTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 
 		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet
 
-		Logger.debug("POST VerifyCertificateServlet");
+		Logger.debug("Reveive VerifyCertificate Response");
 				
 		Map<String, String> parameters;
 	    try 
@@ -78,48 +81,73 @@ public class VerifyCertificateTask extends AbstractAuthServletTask {
 	      Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
 	      throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", new IOException(e.getMessage()));
 	     }
-	    String sessionID = req.getParameter(PARAM_SESSIONID);
-	    
-	    // escape parameter strings
-		sessionID = StringEscapeUtils.escapeHtml(sessionID);
 				
-	    AuthenticationSession session = null;
 	    try {
-	       // check parameter
-	       if (!ParamValidatorUtils.isValidSessionID(sessionID))
-	          throw new WrongParametersException("VerifyCertificate", PARAM_SESSIONID, "auth.12");
-	       
-	    	session = AuthenticationServer.getSession(sessionID);
-	    	
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
 	    		    	
-	        //change MOASessionID
-	        sessionID = AuthenticationSessionStoreage.changeSessionID(session);
 	    	
-    		X509Certificate cert = AuthenticationServer.getInstance().getCertificate(pendingReq, sessionID, parameters);
+    		X509Certificate cert = authServer.getCertificate(pendingReq, parameters);
     		if (cert == null) {
     			Logger.error("Certificate could not be read.");
     			throw new AuthenticationException("auth.14", null);    		
     		}
     		
-	    	boolean useMandate = session.getUseMandate();
+	    	boolean useMandate = moasession.getUseMandate();
 	    	
 	    	if (useMandate) {
 
 	    		// verify certificate for OrganWalter
-	    		String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyCertificate(session, cert, pendingReq);
+	    		String createXMLSignatureRequestOrRedirect = authServer.verifyCertificate(moasession, cert, pendingReq);
 	    		
 		    	try {
-					AuthenticationSessionStoreage.storeSession(session);
+					authenticatedSessionStorage.storeSession(moasession);
+					
 				} catch (MOADatabaseException e) {
 					throw new MOAIDException("session store error", null);
 				}
 	    		
-		    	// TODO[branch]: Mandate; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
-		    	CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+		    	CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, pendingReq, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
 	    		
 	    	}
 	    	else {
@@ -133,24 +161,24 @@ public class VerifyCertificateTask extends AbstractAuthServletTask {
 	    		}
 	    		
 	    		// Foreign Identities Modus	
-	    		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+	    		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_FOREIGN_FOUND);
 	    		
-		    	String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(session, cert);
+		    	String createXMLSignatureRequest = authServer.createXMLSignatureRequestForeignID(moasession, cert);
 		      // build dataurl (to the GetForeignIDSerlvet)
 		    	String dataurl =
 	             new DataURLBuilder().buildDataURL(
-	               session.getAuthURL(),
+	               pendingReq.getAuthURL(),
 	               REQ_GET_FOREIGN_ID,
-	               session.getSessionID());
+	               pendingReq.getRequestID());
 	       
-		    	try {
-					AuthenticationSessionStoreage.storeSession(session);
+		    	try {		    		
+					authenticatedSessionStorage.storeSession(moasession);
+					
 				} catch (MOADatabaseException e) {
 					throw new MOAIDException("session store error", null);
 				}
 		    	
-	    		// TODO[branch]: Foreign citizen; respond with CXSR for authblock signature, dataURL "/GetForeignID"
 		    	CitizenCardServletUtils.writeCreateXMLSignatureRequest(resp, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
 		    	
 		    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java
index 50ef11f27..2c23254e4 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java
@@ -1,6 +1,6 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import java.io.IOException;
 import java.util.Map;
@@ -9,23 +9,23 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Verifies the identity link.<p/>
@@ -51,17 +51,16 @@ import at.gv.egovernment.moa.logging.Logger;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("VerifyIdentityLinkTask")
 public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 
-		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
-
-		Logger.debug("POST VerifyIdentityLink");
-
-		setNoCachingHeaders(resp);
+		Logger.debug("Receive VerifyIdentityLink Response");
 		
 		Map<String, String> parameters;
 
@@ -74,20 +73,50 @@ public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 		
 		try {
 			
-			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
+			String pendingRequestID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_TARGET_PENDINGREQUESTID));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
 			}
-			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+		
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
 			
-			boolean identityLinkAvailable = AuthenticationServer.getInstance().verifyIdentityLink(pendingReq, session, parameters) != null;
-			AuthenticationSessionStoreage.storeSession(session);
+			boolean identityLinkAvailable = authServer.verifyIdentityLink(pendingReq, moasession, parameters) != null;
+			
+			authenticatedSessionStorage.storeSession(moasession);
 
 			executionContext.put("identityLinkAvailable", identityLinkAvailable);
 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java
new file mode 100644
index 000000000..139be49fe
--- /dev/null
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class CitizenCardAuthProcessEngineSignalController extends AbstractProcessEngineSignalController {
+
+	@RequestMapping(value = {"/GetMISSessionID", 
+			 				 "/GetForeignID",
+			 				 "/VerifyAuthBlock",
+			 				 "/VerifyCertificate",
+			 				 "/VerifyIdentityLink"
+           					}, 
+					method = {RequestMethod.POST, RequestMethod.GET})
+	public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+		signalProcessManagement(req, resp);
+
+}
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
index 276d6a105..36bab9355 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
@@ -53,13 +53,13 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.net.URLEncoder;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.logging.Logger;
 
 /**
@@ -73,21 +73,21 @@ public class CitizenCardServletUtils extends ServletUtils{
    * depending on the requests starting text.
    * 
    * @param resp The httpServletResponse
-   * @param session The current AuthenticationSession
+   * @param pendingReq The current AuthenticationSession
    * @param createXMLSignatureRequestOrRedirect The request
    * @param servletGoal The servlet to which the redirect should happen
    * @param servletName The servlet name for debug purposes
    * @throws MOAIDException
    * @throws IOException
    */
-  public static void writeCreateXMLSignatureRequestOrRedirect(HttpServletResponse resp, AuthenticationSession session, String createXMLSignatureRequestOrRedirect, String servletGoal, String servletName) 
+  public static void writeCreateXMLSignatureRequestOrRedirect(HttpServletResponse resp, IRequest pendingReq, String createXMLSignatureRequestOrRedirect, String servletGoal, String servletName) 
   throws MOAIDException,
          IOException
   { 
     if (!createXMLSignatureRequestOrRedirect.startsWith("Redirect")) {
       resp.setStatus(307);
       String dataURL = new DataURLBuilder().buildDataURL(
-        session.getAuthURL(), MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK, session.getSessionID());
+        pendingReq.getAuthURL(), MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK, pendingReq.getRequestID());
       resp.addHeader("Location", dataURL);
       
       //TODO test impact of explicit setting charset with older versions of BKUs (HotSign)
@@ -100,7 +100,7 @@ public class CitizenCardServletUtils extends ServletUtils{
       Logger.debug("Finished POST " + servletName);
       
     } else {
-      String redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), servletGoal, session.getSessionID());
+      String redirectURL = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), servletGoal, pendingReq.getRequestID());
       resp.setContentType("text/html");
       resp.setStatus(302);
       resp.addHeader("Location", redirectURL);